diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c702618554..afe30ff75b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19590,6 +19590,11 @@ "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", "redirect_document_id": false }, + { + "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", + "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", + "redirect_document_id": false + }, { "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 8c86acd85f..e06d4cfd48 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,45 @@ +## Week of August 08, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | +| 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified | +| 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified | +| 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | +| 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified | +| 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | +| 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified | +| 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | +| 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified | +| 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified | +| 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified | +| 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified | +| 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified | +| 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | +| 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified | +| 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified | +| 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified | +| 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified | +| 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified | +| 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified | +| 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified | +| 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified | +| 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified | +| 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified | +| 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified | +| 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified | +| 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified | +| 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified | +| 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified | +| 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified | +| 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | +| 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | + + ## Week of July 25, 2022 @@ -11,11 +50,3 @@ | 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified | | 7/25/2022 | Edit an existing topic using the Edit link | removed | | 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified | - - -## Week of June 27, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 6/30/2022 | Get Minecraft Education Edition with your Windows 10 device promotion | removed | diff --git a/education/index.yml b/education/index.yml index d9e629b791..b67a140734 100644 --- a/education/index.yml +++ b/education/index.yml @@ -10,9 +10,11 @@ metadata: description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. ms.service: help ms.topic: hub-page - author: LaurenMoynihan - ms.author: v-lamoyn - ms.date: 10/24/2019 + ms.collection: education + author: paolomatarazzo + ms.author: paoloma + ms.date: 08/10/2022 + manager: aaroncz productDirectory: title: For IT admins diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 5e41713a4b..ad98be350e 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -1,23 +1,23 @@ --- title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. -keywords: Autopilot Reset, Windows 10, education -ms.prod: w10 +keywords: Autopilot Reset, Windows, education +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 06/27/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Reset devices with Autopilot Reset -**Applies to:** - -- Windows 10, version 1709 IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 68e0429bb0..9a1acea7a1 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -2,17 +2,19 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Change history for Windows 10 for Education This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 85b1b85c00..bb3a601ed0 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -1,7 +1,7 @@ --- title: Upgrade Windows Home to Windows Education on student-owned devices description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions. -ms.date: 07/05/2021 +ms.date: 08/10/2022 ms.prod: windows ms.technology: windows ms.topic: how-to @@ -10,7 +10,10 @@ author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma manager: jeffbu -ms.collection: highpri +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Upgrade Windows Home to Windows Education on student-owned devices diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index d1ed1e7192..3c0e5424ee 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -2,16 +2,19 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Change to Windows 10 Pro Education from Windows 10 Pro diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 6ecad551d4..b7d6452223 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -2,26 +2,24 @@ title: Chromebook migration guide (Windows 10) description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -ms.reviewer: -manager: dansimp keywords: migrate, automate, device, Chromebook migration -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Chromebook migration guide - -**Applies to** - -- Windows 10 - In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 6d0c2694a5..4b876aa023 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -4,21 +4,19 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology ms.mktglfcycl: plan ms.sitesec: library -ms.prod: w10 +ms.prod: windows ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Windows 10 configuration recommendations for education customers -**Applies to:** - -- Windows 10 - Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index aa2e5b4d70..d0a8aa44bd 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -2,24 +2,23 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deploy Windows 10 in a school district -**Applies to** - -- Windows 10 - - This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index b618ca7b09..d9d1aff417 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -2,15 +2,19 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deploy Windows 10 in a school diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index fb2c72d34b..c29d3d4a47 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -4,20 +4,19 @@ description: Provides guidance on ways to customize the OS privacy settings, and keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.prod: w10 +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deployment recommendations for school IT administrators -**Applies to:** - -- Windows 10 - Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 7909586e9b..4fbe0e9f89 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,17 +2,20 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium searchScope: - Store -author: dansimp -ms.author: dansimp -ms.date: 03/30/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index e7dce928ea..e056e38381 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -2,16 +2,19 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/30/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Surface Go for Education - Enabling S mode diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 2ce2c20be3..f03899ae3d 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,27 +2,24 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/29/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.topic: conceptual +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - - [Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/index.md b/education/windows/index.md index 9db6cd7672..3977c5f664 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -2,14 +2,19 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Windows 10 for Education diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index cb2e995ef3..a09d48ae19 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -4,14 +4,17 @@ description: Switching out of Windows 10 Pro in S mode to Windows 10 Pro Educati keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.prod: w10 +ms.prod: windows ms.sitesec: library ms.pagetype: edu -ms.date: 12/03/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.author: dansimp -author: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 6ba860cd94..e24c73d2ef 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,26 +2,25 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/30/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 ms.topic: conceptual --- # For IT administrators - get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index a04a034238..b7a35b9784 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -2,16 +2,19 @@ title: Azure AD Join with Set up School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 01/11/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Azure AD Join for school PCs diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 328e6c3c68..3aeb7d738c 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -2,16 +2,19 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/17/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # What's in my provisioning package? diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index 25aa35b4f0..e007d4957b 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -2,16 +2,19 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/13/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Shared PC mode for school devices diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index de0bc50602..6dbdf70186 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -2,25 +2,23 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/11/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # What is Set up School PCs? - -**Applies to:** - -- Windows 10 - The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index a22f1755e4..fce328a1c0 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -2,16 +2,20 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 08/04/2022 -ms.reviewer: paoloma -manager: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # What's new in Set up School PCs diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index cbad40867b..32f97bf4b3 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,21 +2,21 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/27/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up student PCs to join domain -**Applies to:** - -- Windows 10 If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain. diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 2f08fa227c..840dd7836b 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -1,21 +1,19 @@ --- title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. -ms.prod: w10 +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Provision student PCs with apps -**Applies to:** - -- Windows 10 - To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index e1acdf9f1d..a9e53b4beb 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -2,22 +2,22 @@ title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. keywords: school, Windows device setup, education device setup -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/27/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up Windows devices for education -**Applies to:** - -- Windows 10 You have two tools to choose from to set up PCs for your classroom: * Set up School PCs diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 3e83e12653..dd064677bf 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -2,24 +2,22 @@ title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. keywords: take a test, test taking, school, policies -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 11/28/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Take a Test app technical reference -**Applies to:** - -- Windows 10 - - Take a Test is an app that locks down the PC and displays an online assessment web page. diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index fe484ddf82..e6daee3daa 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -2,23 +2,22 @@ title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. keywords: take a test, test taking, school, set up on multiple PCs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 11/08/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up Take a Test on multiple PCs -**Applies to:** - -- Windows 10 - Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 1ebd02e090..2dcc9c525c 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -2,22 +2,21 @@ title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. keywords: take a test, test taking, school, set up on single PC -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 11/08/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Set up Take a Test on a single PC -**Applies to:** - -- Windows 10 To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 50853a9e67..e0e44e51c8 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -2,23 +2,22 @@ title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/16/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Take tests in Windows 10 -**Applies to:** - -- Windows 10 - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test: diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 8d9850ce64..9436f4e605 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -2,26 +2,24 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/05/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.topic: conceptual +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # For teachers - get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - The following article describes how teachers can get and distribute Minecraft: Education Edition. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index f1ac5e98b3..e76136de39 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -1,20 +1,20 @@ --- title: Test Windows 10 in S mode on existing Windows 10 education devices description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices. -ms.prod: w10 +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/30/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Test Windows 10 in S mode on existing Windows 10 education devices -**Applies to:** -- Devices running Windows 10, version 1709: Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise - The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on various individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Test Windows 10 in S mode on various devices in your school and share your feedback with us. Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2). diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ca36e12e5a..958e32ad29 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -2,18 +2,20 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/23/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Use the Set up School PCs app IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index dd98543603..32691a8669 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -1,25 +1,22 @@ --- title: What is Windows 11 SE description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education. -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: aczechowski -ms.author: aaroncz -manager: dougeby +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -ms.localizationpriority: medium -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 SE --- # Windows 11 SE for Education -**Applies to**: - -- Windows 11 SE -- Microsoft Intune for Education - Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index b2b9df5de8..e654aff272 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -1,25 +1,22 @@ --- title: Windows 11 SE settings list description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change. -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: aczechowski -ms.author: aaroncz -manager: dougeby +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -ms.localizationpriority: medium -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 SE --- # Windows 11 SE for Education settings list -**Applies to**: - -- Windows 11 SE -- Microsoft Intune for Education - Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 759d485046..b53f4a28bc 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -2,23 +2,22 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Windows 10 editions for education customers -**Applies to:** - -- Windows 10 - Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 9ee3c86345..a625c4f1c7 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -2,12 +2,12 @@ title: Add or hide optional apps and features on Windows devices | Microsoft Docs description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.localizationpriority: medium ms.date: 08/30/2021 ms.reviewer: -manager: dougeby ms.topic: article ms.collection: highpri --- diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index ba0a92dcf7..0c38b376be 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,11 +1,11 @@ --- title: Learn about the different app types in Windows 10/11 | Microsoft Docs -ms.reviewer: -manager: dougeby description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz +ms.reviewer: ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index d85b5ea89f..60cb9c5b79 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,13 +1,13 @@ --- -author: aczechowski title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -ms.author: aaroncz +ms.prod: w10 +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 10/03/2017 ms.reviewer: -manager: dougeby ms.topic: article -ms.prod: w10 --- # Remove background task resource restrictions @@ -43,7 +43,7 @@ Starting with Windows 10, version 1703, enterprises can control background activ `./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps`  `./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps` -These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies. +These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. For more information about these policies, visit [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground). An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:     diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 17dace9c69..87c9ec2b04 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -1,9 +1,9 @@ --- -author: aczechowski -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/20/2021 ms.reviewer: -manager: dougeby ms.prod: w10 ms.topic: include --- diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 7cb153ddb7..b26f9904a6 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -1,9 +1,9 @@ --- -author: aczechowski -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/28/2021 ms.reviewer: -manager: dougeby ms.prod: w10 ms.topic: include --- diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 8f6b781ec5..e13b0747f4 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -13,9 +13,9 @@ metadata: ms.collection: - windows-10 - highpri - author: aczechowski - ms.author: aaroncz - manager: dougeby + author: nicholasswhite + ms.author: nwhite + manager: aaroncz ms.date: 08/24/2021 #Required; mm/dd/yyyy format. ms.localizationpriority : medium diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 122ffdd4f1..e0270672bb 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -2,11 +2,11 @@ title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11) description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.prod: w10 ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz ms.topic: article --- @@ -58,7 +58,7 @@ IT admins can also create [Side by side feature store (shared folder)](/previous You can use the [AppLocker configuration service provider (CSP)](/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. -In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 4657bd8ea3..7735990889 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -2,11 +2,11 @@ title: Per-user services in Windows 10 and Windows Server description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/14/2017 ms.reviewer: -manager: dougeby --- # Per-user services in Windows 10 and Windows Server @@ -41,7 +41,7 @@ Before you disable any of these services, review the **Description** column in t | 1803 | DevicePickerUserSvc | DevicePicker | Manual | | Device Picker | | 1703 | DevicesFlowUserSvc | DevicesFlow | Manual | | Device Discovery and Connecting | | 1703 | MessagingService | MessagingService | Manual | | Service supporting text messaging and related functionality | -| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | +| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service isn't running. | | 1607 | PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | | 1709 | PrintWorkflowUserSvc | PrintWorkflow | Manual | | Print Workflow | | 1607 | UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | @@ -71,7 +71,7 @@ In light of these restrictions, you can use the following methods to manage per- ### Manage template services using a security template -You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. +You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). For more information, visit [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings). For example: @@ -87,13 +87,13 @@ Revision=1 ### Manage template services using Group Policy preferences -If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences. +If a per-user service can't be disabled using the security template, you can disable it by using Group Policy preferences. -1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. +1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, select **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. 2. Create a new Group Policy Object (GPO) or use an existing GPO. -3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor. +3. Right-click the GPO and select **Edit** to launch the Group Policy Object Editor. 4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry. @@ -101,23 +101,23 @@ If a per-user service can't be disabled using a the security template, you can d ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) -6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. +6. Make sure that HKEY_Local_Machine is selected for Hive and then select ... (the ellipses) next to Key Path. ![Choose HKLM.](media/gpp-hklm.png) -7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. +7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and select **Select**. ![Select Start.](media/gpp-svc-start.png) -8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. +8. Change **Value data** from **00000003** to **00000004** and select **OK**. Note setting the Value data to **4** = **Disabled**. ![Startup Type is Disabled.](media/gpp-svc-disabled.png) -9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. +9. To add the other services that can't be managed with a Group Policy templates, edit the policy and repeat steps 5-8. ### Managing Template Services with reg.exe -If you cannot use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe. +If you can't use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe. To disable the Template Services, change the Startup Type for each service to 4 (disabled). For example: @@ -135,7 +135,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE ### Managing Template Services with regedit.exe -If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): +If you can't use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): ![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) @@ -159,7 +159,7 @@ Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-20 ``` sc.exe configure start= disabled ``` -Note that the space after "=" is intentional. +The space after "=" is intentional. Sample script using the [Set-Service PowerShell cmdlet](/previous-versions/windows/it-pro/windows-powershell-1.0/ee176963(v=technet.10)): @@ -169,7 +169,7 @@ Set-Service -StartupType Disabled ## View per-user services in the Services console (services.msc) -As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the \_LUID format (where LUID is the locally unique identifier). +As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they're displayed using the \_LUID format (where LUID is the locally unique identifier). For example, you might see the following per-user services listed in the Services console: diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 45f7dec8fa..b039ab012b 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -1,11 +1,11 @@ --- title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices. -manager: dougeby -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.reviewer: amanh ms.prod: w11 -author: aczechowski ms.date: 09/15/2021 ms.localizationpriority: medium --- diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index c155a0e790..b61fb4f87e 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -1,11 +1,11 @@ --- title: Get the provisioned apps on Windows client operating system | Microsoft Docs ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 -ms.author: aaroncz -author: aczechowski ms.localizationpriority: medium ms.topic: article --- @@ -17,7 +17,7 @@ ms.topic: article - Windows 10 - Windows 11 -Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. +Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They're per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows PowerShell command to get a list. diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index d05b8db3c7..817364d24a 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -2,17 +2,17 @@ title: How to keep apps removed from Windows 10 from returning during an update description: How to keep provisioned apps that were removed from your machine from returning during an update. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 05/25/2018 ms.reviewer: -manager: dougeby --- # How to keep apps removed from Windows 10 from returning during an update > Applies to: Windows 10 (General Availability Channel) -When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803. +When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue. >[!NOTE] >* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 0e20c16ba3..466370dcd1 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -2,10 +2,10 @@ title: Sideload LOB apps in Windows client OS | Microsoft Docs description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. ms.reviewer: -manager: dougeby -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.prod: w10 -author: aczechowski ms.localizationpriority: medium --- diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 7fe5fa1c05..67476d451f 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -2,11 +2,11 @@ title: Service Host service refactoring in Windows 10 version 1703 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 07/20/2017 ms.reviewer: -manager: dougeby --- # Changes to Service Host grouping in Windows 10 diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 89689b0d06..eef2f72573 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -1,11 +1,11 @@ --- title: Get the system apps on Windows client operating system | Microsoft Docs ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 -ms.author: aaroncz -author: aczechowski ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 76d04a5dd1..5260e5f1db 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -2,9 +2,9 @@ title: Windows Tools/Administrative Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. ms.prod: w10 -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index 8b0e587b74..7a16f17f4d 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -1,15 +1,15 @@ --- title: Windows 10 default media removal policy -description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." +description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal. ms.prod: w10 -author: Teresa-Motiv -ms.author: dougeby +author: vinaypamnani-msft +ms.author: vinpa ms.date: 11/25/2020 ms.topic: article ms.custom: -- CI 111493 -- CI 125140 -- CSSTroubleshooting + - CI 111493 + - CI 125140 + - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium manager: kaushika diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index ea9fe24821..a2b2682d33 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -2,12 +2,12 @@ title: Connect to remote Azure Active Directory-joined PC (Windows) description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: dansimp +ms.author: vinpa ms.date: 01/18/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article ms.collection: highpri --- diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index dfb3d72af7..44304f2950 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -2,12 +2,12 @@ title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10) description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/14/2021 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: troubleshooting --- diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 36da3dfcc9..022820d4e9 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -2,11 +2,11 @@ title: Manage corporate devices description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. ms.reviewer: -manager: dansimp -ms.author: dansimp -keywords: ["MDM", "device management"] +manager: aaroncz +ms.author: vinpa +keywords: [MDM, device management] ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/14/2021 ms.topic: article diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 79544bf12c..7c8c46580d 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -2,11 +2,11 @@ title: Manage Device Installation with Group Policy (Windows 10 and Windows 11) description: Find out how to manage Device Installation Restrictions with Group Policy. ms.prod: w10 -author: aczechowski +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: vinpa ms.topic: article --- diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 4914694065..d78eac22f8 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -2,11 +2,11 @@ title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article --- diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0f27f3d1d1..367392eba4 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -4,10 +4,10 @@ description: This article offers strategies for deploying and managing Windows 1 ms.prod: w10 ms.localizationpriority: medium ms.date: 06/03/2022 -author: aczechowski -ms.author: aaroncz +author: vinaypamnani-msft +ms.author: vinpa ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: overview --- diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 18aaf583be..cbf11a9442 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -2,11 +2,11 @@ title: Create mandatory user profiles (Windows 10 and Windows 11) description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.prod: w10 -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 09/14/2021 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article ms.collection: highpri --- diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 6e1bc0d9c6..948207dc6d 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -2,12 +2,12 @@ title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: -manager: dansimp -ms.author: v-nsatapathy +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 06/22/2021 --- diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index b55a87941f..03a75d8a7a 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -1,14 +1,14 @@ --- title: AccountManagement CSP description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # AccountManagement CSP diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index 51380b7ed8..d425503b6a 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -1,14 +1,14 @@ --- title: AccountManagement DDF file description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # AccountManagement DDF file diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 95689e3b8f..d447311a4e 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,14 +1,14 @@ --- title: Accounts CSP description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Accounts CSP diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index e522821656..b2bffb3a42 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,14 +1,14 @@ --- title: Accounts DDF file description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/17/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Accounts DDF file diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 929b2dc46a..d174729230 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,13 +1,13 @@ --- title: ActiveSync CSP -description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. +description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 216550b80b..323fc038e9 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -2,12 +2,12 @@ title: ActiveSync DDF file description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 85a599abb8..f5f05c6ddb 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -2,12 +2,12 @@ title: Add an Azure AD tenant and Azure AD subscription description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index b8a280a346..e8aab159fb 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -2,12 +2,12 @@ title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index bcb19ed0cd..edc188feac 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -2,12 +2,12 @@ title: AllJoynManagement DDF description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 4502b38c2c..466550a3e5 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -2,12 +2,12 @@ title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 2c91bf430b..62648efd94 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,11 +1,11 @@ --- title: ApplicationControl CSP DDF description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/10/2019 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 970bfa5103..e587cf8a3c 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,11 +1,11 @@ --- title: ApplicationControl CSP description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: jsuther1974 ms.date: 09/10/2020 --- diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7ed2500275..abccc814e8 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -2,12 +2,12 @@ title: AppLocker CSP description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2019 --- diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 38e2c8e7bc..30adaa5b15 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -2,12 +2,12 @@ title: AppLocker DDF file description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index 9eedf4f812..4c9943e332 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -2,12 +2,12 @@ title: AppLocker XSD description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 79bb949ff1..a407704b93 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,14 +1,14 @@ --- title: Deploy and configure App-V apps using MDM description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Deploy and configure App-V apps using MDM diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index d8c68d15e5..7394103149 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -2,12 +2,12 @@ title: Assign seat description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index cf61a9f2c1..c0085b11e0 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -2,12 +2,12 @@ title: AssignedAccess CSP description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/03/2022 --- diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 276a419912..36b3670dac 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -2,12 +2,12 @@ title: AssignedAccess DDF description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/22/2018 --- diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 5430991444..467e007dd7 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -2,12 +2,12 @@ title: Azure Active Directory integration with MDM description: Azure Active Directory is the world largest enterprise cloud identity management service. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.collection: highpri --- diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index ce25592491..e54875a1df 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,14 +1,14 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7af651d2c0..a9cfa0de6d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,15 +1,15 @@ --- title: BitLocker CSP description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/04/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index b40819c5e8..663e7d623f 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,15 +1,15 @@ --- title: BitLocker DDF file description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/30/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # BitLocker DDF file diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 19a2fa944c..a02395dea5 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -2,12 +2,12 @@ title: Bulk assign and reclaim seats from users description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index a6d69bff48..c54261ccfa 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 8e5f9ebac8..6c97d9489d 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -2,12 +2,12 @@ title: CellularSettings CSP description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index f7af4adf18..9ea52d92fc 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 078523d5fb..96a2369975 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phdevicemgmt.certificate\_renewal' - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 423745bbf6..585bfdba94 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -2,12 +2,12 @@ title: CertificateStore CSP description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/28/2020 --- diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index d05b283472..a99edbb1e3 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -2,12 +2,12 @@ title: CertificateStore DDF file description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 335e7119ac..a01ff5b853 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -1,10 +1,10 @@ --- title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. -author: aczechowski -ms.author: aaroncz -ms.reviewer: -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +ms.reviewer: +manager: aaroncz ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 3c615c5b08..74cd9636c7 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -1,14 +1,14 @@ --- title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # CleanPC CSP diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index d5f5924627..9677737584 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -2,12 +2,12 @@ title: CleanPC DDF description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 8d30b4114c..faff015660 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -2,12 +2,12 @@ title: ClientCertificateInstall CSP description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/30/2021 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index da749c41ae..716eff3eef 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -2,12 +2,12 @@ title: ClientCertificateInstall DDF file description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 2204143dfe..910c3b6c31 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -2,12 +2,12 @@ title: CM\_CellularEntries CSP description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/02/2017 --- diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 94b8c15c30..38d7d17625 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -2,12 +2,12 @@ title: CMPolicy CSP description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index a2858ed680..8515da3881 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -2,12 +2,12 @@ title: CMPolicyEnterprise CSP description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 9714d6d292..47fd1ec39d 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -2,12 +2,12 @@ title: CMPolicyEnterprise DDF file description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index a2167e456e..a9339f8e76 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -1,12 +1,12 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -manager: dansimp -ms.author: v-lsaldanha +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w11 ms.technology: windows -author: lovina-saldanha +author: vinaypamnani-msft ms.date: 05/24/2022 --- diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 6c7adbc949..62eca97eea 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2,12 +2,12 @@ title: Configuration service provider reference description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.collection: highpri --- diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index de2896f574..759f17f26a 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -2,12 +2,12 @@ title: CustomDeviceUI CSP description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 0433c22507..f847a4ba95 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -2,12 +2,12 @@ title: CustomDeviceUI DDF description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 138c6d80c8..e39e9c9e12 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: Data structures for Microsoft Store for Business description: Learn about the various data structures for Microsoft Store for Business. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_data\_structures' -- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_data\_structures' + - 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 6a6904fd19..ca3b7ea096 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -2,12 +2,12 @@ title: Defender CSP description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/22/2022 --- diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 9bf6463258..1a99f5c85b 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -2,12 +2,12 @@ title: Defender DDF file description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/23/2021 --- diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 23a246c454..a1b368c716 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -2,12 +2,12 @@ title: DevDetail CSP description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/27/2020 --- diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index e1d79c9308..957eb5558f 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -2,12 +2,12 @@ title: DevDetail DDF file description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/03/2020 --- diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 244e26d627..592432a187 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -2,12 +2,12 @@ title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2018 --- diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index 4d959b186f..ae96fa64df 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -2,12 +2,12 @@ title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 030e89915c..bd5f317fc2 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -2,12 +2,12 @@ title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/15/2017 ms.collection: highpri --- diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 2ee9b7eb60..29938e34dc 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -2,12 +2,12 @@ title: DeviceLock CSP description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 75ec208587..974d878b01 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -2,12 +2,12 @@ title: DeviceLock DDF file description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 355ebdc632..b650e3c405 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,13 +1,13 @@ --- title: DeviceManageability CSP -description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. +description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index f57ca0aef2..23dd9b8cf6 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -2,12 +2,12 @@ title: DeviceManageability DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index e804c7d30b..c900b41939 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -2,12 +2,12 @@ title: DeviceStatus CSP description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/25/2021 --- diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 5327b89015..9019f6a5b9 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -2,12 +2,12 @@ title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index c8403f3163..fe9309086b 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -2,12 +2,12 @@ title: DevInfo CSP description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 9d99d2d67b..ae70ac7ba1 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -2,12 +2,12 @@ title: DevInfo DDF file description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index ea79a37fdb..1191fc721d 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -2,12 +2,12 @@ title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/25/2018 ms.collection: highpri --- diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index cdf8c2917d..119d455dec 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -2,12 +2,12 @@ title: DiagnosticLog CSP description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2019 --- diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 38cf705e56..379b38b3fe 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -2,12 +2,12 @@ title: DiagnosticLog DDF description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index b3582457ad..31fbaa5aa9 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -1,16 +1,16 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: -- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' -- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' +MS-HAID: + - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' + - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 9938c6c5dc..ad9d6ccc76 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -2,12 +2,12 @@ title: DMAcc CSP description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index b967d91e87..4ba6320269 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -2,12 +2,12 @@ title: DMAcc DDF file description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 165584ee19..dbaec53d02 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -2,12 +2,12 @@ title: DMClient CSP description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index ca0753b5bc..2f7ca1fb7e 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -2,12 +2,12 @@ title: DMClient DDF file description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 27091ecd80..471f590bc9 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -3,20 +3,20 @@ title: DMProcessConfigXMLFiltered function description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML. Search.Refinement.TopicID: 184 ms.reviewer: -manager: dansimp -topic_type: -- apiref -api_name: -- DMProcessConfigXMLFiltered -api_location: -- dmprocessxmlfiltered.dll -api_type: -- DllExport -ms.author: dansimp +manager: aaroncz +topic_type: + - apiref +api_name: + - DMProcessConfigXMLFiltered +api_location: + - dmprocessxmlfiltered.dll +api_type: + - DllExport +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 8a95673243..e9c3080fba 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,14 +1,14 @@ --- title: DMSessionActions CSP description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # DMSessionActions CSP diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 7cebc030ce..fcb5cb106e 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,14 +1,14 @@ --- title: DMSessionActions DDF file description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # DMSessionActions DDF file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index ce38bf29cd..3e4e54c181 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,14 +1,14 @@ --- title: DynamicManagement CSP description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 0bb1c75f3e..0e2a6dd191 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -2,12 +2,12 @@ title: DynamicManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 6eff7f2a44..1298e152d0 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -2,12 +2,12 @@ title: EAP configuration description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 2c03c1146b..a88665101f 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -2,12 +2,12 @@ title: EMAIL2 CSP description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 7e3c271fc3..ec7d604849 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -2,12 +2,12 @@ title: EMAIL2 DDF file description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 7a4821350c..a8fdcc53b2 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,15 +1,15 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/01/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Enable ADMX policies in MDM diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 8076b0a504..b7a2a1544c 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,14 +1,14 @@ --- title: Enroll a Windows 10 device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index 75870e43e0..40b17f8970 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,11 +1,11 @@ --- title: EnrollmentStatusTracking DDF description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/17/2019 --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index d345f06255..3ad33fa688 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,11 +1,11 @@ --- title: EnrollmentStatusTracking CSP description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/21/2019 --- diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index c64c2d9ba3..d2dc640f22 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -2,12 +2,12 @@ title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/04/2021 --- diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 1e49e6f694..7988975af6 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -2,12 +2,12 @@ title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 2e81ae80fd..e83aef75e3 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseAPN DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index b2a5361647..23d45c61be 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,14 +1,14 @@ --- title: EnterpriseAppVManagement CSP -description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). -ms.author: dansimp +description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # EnterpriseAppVManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 1c18aff981..0572ef9f96 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,14 +1,14 @@ --- title: EnterpriseAppVManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # EnterpriseAppVManagement DDF file diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 176e9f3b24..bf660969d6 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -3,12 +3,12 @@ title: EnterpriseDataProtection CSP description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/09/2017 --- diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index 68e337c333..f8be987381 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -2,12 +2,12 @@ title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 4b5ab02de2..d06146f5a0 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -3,12 +3,12 @@ title: EnterpriseDesktopAppManagement CSP description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/11/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 0803a2e9ab..dcf0663717 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -2,12 +2,12 @@ title: EnterpriseDesktopAppManagement DDF description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index c570ad096b..4117208a89 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -2,12 +2,12 @@ title: EnterpriseDesktopAppManagement XSD description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 7b616f1543..6aed81068c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement CSP description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2021 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 9e25733411..3a270aad3c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/01/2019 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index dc9995f5ef..95016ab8fc 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement XSD description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 30cebf3d9e..cdc60b2936 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -2,9 +2,9 @@ title: eSIM Enterprise Management description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: dansimp +ms.author: vinpa ms.topic: conceptual --- diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 4a840115e0..8d50139134 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,14 +1,14 @@ --- title: eUICCs CSP description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # eUICCs CSP diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index e6d041a4a2..c17f08e0f3 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -2,12 +2,12 @@ title: eUICCs DDF file description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/02/2018 --- diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 1bbe746b59..d0e4cb46c1 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index ddcd82076c..af9202d9ca 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,13 +1,13 @@ --- title: Firewall CSP description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: -manager: dansimp +manager: aaroncz --- # Firewall configuration service provider (CSP) diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index fa54a62a29..50b8729198 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,14 +1,14 @@ --- title: Firewall DDF file description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Firewall CSP diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index c4613e5251..2aa1418ebf 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -1,16 +1,16 @@ --- title: Get Inventory description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. -MS-HAID: -- 'p\_phdevicemgmt.get\_seatblock' -- 'p\_phDeviceMgmt.get\_inventory' +MS-HAID: + - 'p\_phdevicemgmt.get\_seatblock' + - 'p\_phDeviceMgmt.get\_inventory' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index 1b91dfb6f8..373bebf5d7 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -2,12 +2,12 @@ title: Get localized product details description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/07/2020 --- diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 24ff7dd8f5..8960d7a7eb 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -2,12 +2,12 @@ title: Get offline license description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index 2b5f901e1d..14b0e24af9 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -2,12 +2,12 @@ title: Get product details description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index aaeb5a3b5e..2fa11f65b3 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -2,12 +2,12 @@ title: Get product package description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 3eb39cbd7c..4312842783 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -2,12 +2,12 @@ title: Get product packages description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index d0aec2af0b..66b6b7340f 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -2,12 +2,12 @@ title: Get seat description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index a657aa4026..27a30678ae 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -2,12 +2,12 @@ title: Get seats assigned to a user description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 2dc6f0a475..333d467ee8 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -2,12 +2,12 @@ title: Get seats description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4eb0e57c7d..9c85e6205e 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -2,12 +2,12 @@ title: Device HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: --- diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 65cf48aeb7..1d1e14d1ab 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -2,12 +2,12 @@ title: HealthAttestation DDF description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 09eb2a8003..9d71b7234b 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,14 +1,14 @@ --- title: Support for mobile application management on Windows description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/03/2022 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz --- diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index c472c83092..e67b40bb24 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: Management tool for the Microsoft Store for Business description: The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' -- 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' + - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2017 --- diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index ddd397d1dc..d8748f2ee6 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -1,16 +1,16 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: -- 'p\_phdevicemgmt.enrollment\_ui' -- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +MS-HAID: + - 'p\_phdevicemgmt.enrollment\_ui' + - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.collection: highpri --- diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index b02ed00f8b..b161e96c13 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -2,12 +2,12 @@ title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/11/2017 ms.collection: highpri --- diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index 3a2861bbf1..0042735b48 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -1,14 +1,14 @@ --- title: MultiSIM CSP description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/22/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # MultiSIM CSP diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index 18b9586283..662c3e0384 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -1,14 +1,14 @@ --- title: MultiSIM DDF file description: XML file containing the device description framework for the MultiSIM configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/27/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # MultiSIM DDF diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index f2e5e008b4..2a4d93d58f 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -2,12 +2,12 @@ title: NAP CSP description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index c93d4789ae..ebef8beec0 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -2,12 +2,12 @@ title: NAPDEF CSP description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 47b33480b1..c249a38718 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,14 +1,14 @@ --- title: NetworkProxy CSP description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/29/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkProxy CSP diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 2b5f2798f2..ed25d003b2 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,14 +1,14 @@ --- title: NetworkProxy DDF file description: AppNetworkProxyLocker DDF file -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkProxy DDF file diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 5f455a3e9c..5b5d5d930e 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,14 +1,14 @@ --- title: NetworkQoSPolicy CSP description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkQoSPolicy CSP diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 0ba34a7805..972f823ac5 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -2,12 +2,12 @@ title: NetworkQoSPolicy DDF description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 1c9068aa93..fdfb90c836 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1,16 +1,16 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: -- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' -- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +MS-HAID: + - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' + - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/20/2020 --- diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 09715dd733..dc9bf7a054 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -2,12 +2,12 @@ title: NodeCache CSP description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index e62ba59a21..8fb7117803 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -2,12 +2,12 @@ title: NodeCache DDF file description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index e3ee2537c2..5fc7af65c0 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -1,14 +1,14 @@ --- title: Office CSP description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Office CSP diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 05bf3efc0f..94b6fecffe 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -2,12 +2,12 @@ title: Office DDF description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 --- diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 0a6a1332c0..add5219c9e 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -2,12 +2,12 @@ title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4d789fb346..129f2a8aae 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 5c2ab3a0c1..d45249dffe 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -2,12 +2,12 @@ title: PassportForWork CSP description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2019 --- diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 0b43dbee05..5bdaf460f7 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -2,12 +2,12 @@ title: PassportForWork DDF description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/29/2019 --- diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 2a21d44f28..465ac4ecd9 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,14 +1,14 @@ --- title: Personalization CSP description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Personalization CSP diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index bc7605048f..80cdb39b9b 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,14 +1,14 @@ --- title: Personalization DDF file -description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). -ms.author: dansimp +description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Personalization DDF file diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 96ba99c053..e06e70792f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -2,12 +2,12 @@ title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/08/2020 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index fe99b88a1c..55f6a99ca0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 58fffbd813..f70f86e654 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index 7d67b45cd3..102a2eb6bc 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 61da8064e2..d476c304ca 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens 2 description: Learn about the policies in Policy CSP supported by HoloLens 2. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/06/2022 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index 0c5f378ed9..710a6bea37 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Windows 10 IoT Core description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/16/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 5ab411d317..128bb7099b 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Microsoft Surface Hub description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/22/2020 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index 4f12cf7aec..0529c08779 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS) description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 023ece8e40..3b79fcf245 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2,12 +2,12 @@ title: Policy CSP description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 ms.collection: highpri diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index e984f6f104..da3b56f932 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AboveLock -description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. -ms.author: dansimp +description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AboveLock diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e261b05c4e..9320bce051 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Accounts -description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. -ms.author: dansimp +description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Accounts diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index d96b12b249..572eef454e 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ActiveXControls description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ActiveXControls diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 2a3088be3f..05cbc1fcee 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ActiveXInstallService description: Learn about the Policy CSP - ADMX_ActiveXInstallService. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ActiveXInstallService diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 19c86af9d2..cf5b1966c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AddRemovePrograms description: Learn about the Policy CSP - ADMX_AddRemovePrograms. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AddRemovePrograms diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index b7c83023fa..5dd95ce744 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AdmPwd description: Learn about the Policy CSP - ADMX_AdmPwd. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AdmPwd diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 09e0448165..ecdf4b38bf 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppCompat description: Policy CSP - ADMX_AppCompat -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppCompat diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index bfa6e0e368..3e30dc883a 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppxPackageManager description: Learn about the Policy CSP - ADMX_AppxPackageManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppxPackageManager diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index f9d07fe835..786dc5626b 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppXRuntime description: Learn about the Policy CSP - ADMX_AppXRuntime. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppXRuntime diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 991162ca51..0b7733a5a2 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AttachmentManager description: Learn about the Policy CSP - ADMX_AttachmentManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AttachmentManager diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 4ae15d3c3b..d3fbdfca47 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AuditSettings description: Learn about the Policy CSP - ADMX_AuditSettings. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AuditSettings. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index ab01ed785d..52c73b763f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Bits description: Learn about the Policy CSP - ADMX_Bits. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Bits diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index a0033b3741..86f2b2d508 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CipherSuiteOrder description: Learn about the Policy CSP - ADMX_CipherSuiteOrder. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CipherSuiteOrder diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index d24c27f120..8426131fb5 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_COM description: Learn about the Policy CSP - ADMX_COM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_COM diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index c38abdd5cc..55e7b8a33f 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ControlPanel description: Learn about the Policy CSP - ADMX_ControlPanel. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/05/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ControlPanel diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 8a4ec1282c..637df89faf 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ControlPanelDisplay description: Learn about the Policy CSP - ADMX_ControlPanelDisplay. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/05/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ControlPanelDisplay diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 0191a8c79c..b7c40099e2 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Cpls description: Learn about the Policy CSP - ADMX_Cpls. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Cpls diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 2787753ef1..b72ed7c028 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredentialProviders description: Learn about the Policy CSP - ADMX_CredentialProviders. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredentialProviders diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index fb24354248..fb4a63852b 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredSsp description: Learn about the Policy CSP - ADMX_CredSsp. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredSsp diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 133b87350c..68623bfc04 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredUI description: Learn about the Policy CSP - ADMX_CredUI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredUI diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 22bb0e2b9c..0d6a23d272 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CtrlAltDel description: Learn about the Policy CSP - ADMX_CtrlAltDel. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CtrlAltDel diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 9f7525d028..18b990f41a 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DataCollection description: Learn about the Policy CSP - ADMX_DataCollection. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DataCollection diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 4e3e20eb48..f826ec41b1 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DCOM description: Learn about the Policy CSP - ADMX_DCOM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DCOM diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 5017634eeb..c18835be26 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Desktop description: Learn about Policy CSP - ADMX_Desktop. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Desktop diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index c1ac73f776..b2ca71c22d 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceCompat description: Learn about Policy CSP - ADMX_DeviceCompat. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 08/09/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceCompat diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 4a673e49f0..d39a25209b 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,19 +1,22 @@ --- title: Policy CSP - ADMX_DeviceGuard description: Learn about Policy CSP - ADMX_DeviceGuard. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceGuard +> [!WARNING] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > @@ -93,4 +96,4 @@ ADMX Info: ## Related topics -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index bbc9785c1b..1da8e03482 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceInstallation description: Learn about Policy CSP - ADMX_DeviceInstallation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceInstallation diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index d3b545c45a..d4559a5746 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceSetup description: Learn about Policy CSP - ADMX_DeviceSetup. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceSetup diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index 029c5a1884..3a36dd326e 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DFS description: Learn about Policy CSP - ADMX_DFS. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DFS diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 0b11ba27af..4cb25e95d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DigitalLocker description: Learn about Policy CSP - ADMX_DigitalLocker. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/31/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DigitalLocker diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 206c700ce3..9262266a8d 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskDiagnostic description: Learn about Policy CSP - ADMX_DiskDiagnostic. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskDiagnostic diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index e3d2d46297..92b5a4725e 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskNVCache description: Learn about Policy CSP - ADMX_DiskNVCache. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskNVCache diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index ac4604b2d6..bc75db6e4a 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskQuota description: Learn about Policy CSP - ADMX_DiskQuota. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskQuota diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 098addf8db..7efbc6544a 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DistributedLinkTracking description: Learn about Policy CSP - ADMX_DistributedLinkTracking. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DistributedLinkTracking diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 080d80ae3d..8af9f82bc0 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DnsClient description: Learn about Policy CSP - ADMX_DnsClient. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DnsClient diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index a3118e564b..920a8c9d98 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DWM description: Learn about Policy CSP - ADMX_DWM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/31/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DWM diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 6b81a966e1..c08bae6677 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EAIME description: Learn about the Policy CSP - ADMX_EAIME. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EAIME diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 2ef08d8dea..21c1fdf20f 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EncryptFilesonMove description: Learn about the Policy CSP - ADMX_EncryptFilesonMove. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EncryptFilesonMove diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 7a97834588..01470abcbe 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EnhancedStorage description: Learn about the Policy CSP - ADMX_EnhancedStorage. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EnhancedStorage diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 52dececdfe..75e7132a34 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ErrorReporting description: Learn about the Policy CSP - ADMX_ErrorReporting. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ErrorReporting diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 0eeeb1a2e2..627492ca73 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventForwarding description: Learn about the Policy CSP - ADMX_EventForwarding. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventForwarding diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 8e16b2c305..471b6a5631 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventLog description: Learn about the Policy CSP - ADMX_EventLog. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventLog diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index 62d1bc8a55..03921b2021 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventLogging description: Learn about the Policy CSP - ADMX_EventLogging. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/12/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventLogging diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index e04745a40b..a3979738bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventViewer description: Learn about the Policy CSP - ADMX_EventViewer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventViewer diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index 36e0b39de2..c3be668f23 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Explorer description: Learn about the Policy CSP - ADMX_Explorer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Explorer diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 93b3bee4e0..7d85473280 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ExternalBoot description: Learn about the Policy CSP - ADMX_ExternalBoot. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ExternalBoot diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index b5239ba4b3..e81f6e1043 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileRecovery description: Learn about the Policy CSP - ADMX_FileRecovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/24/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileRecovery diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index dedad2fa09..6cf18b696b 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileRevocation description: Learn about the Policy CSP - ADMX_FileRevocation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileRevocation diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 71897ec183..5f9d1741bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileServerVSSProvider description: Learn about the Policy CSP - ADMX_FileServerVSSProvider. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileServerVSSProvider diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 0e4f4f4725..e5c5587bc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileSys description: Learn about the Policy CSP - ADMX_FileSys. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileSys diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index fc2f29a559..cca8d67c3b 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FolderRedirection description: Learn about the Policy CSP - ADMX_FolderRedirection. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FolderRedirection diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index ba90f4137d..a30e0b8b87 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FramePanes description: Learn about the Policy CSP - ADMX_FramePanes. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FramePanes diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index a87f70ce8d..d571a60d05 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FTHSVC description: Learn about the Policy CSP - ADMX_FTHSVC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/15/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FTHSVC diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 7483d618f1..51540ef8ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Globalization description: Learn about the Policy CSP - ADMX_Globalization. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Globalization diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index 9b8a2007ca..986333d80f 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_GroupPolicy description: Learn about the Policy CSP - ADMX_GroupPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_GroupPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 603e13fa68..ef05d2efca 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Help description: Learn about the Policy CSP - ADMX_Help. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Help diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index d1db72afc5..e013dc38ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_HelpAndSupport description: Learn about the Policy CSP - ADMX_HelpAndSupport. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_HelpAndSupport diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 48356bdf1a..ba8121417b 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_HotSpotAuth description: Learn about the Policy CSP - ADMX_HotSpotAuth. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/15/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_HotSpotAuth diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index c80b5b8007..9e9178ac7a 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ICM description: Learn about the Policy CSP - ADMX_ICM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ICM diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index c68c2b9d10..cdae65ef17 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_IIS description: Learn about the Policy CSP - ADMX_IIS. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_IIS diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index 67786a4e35..e4938d1f67 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_iSCSI description: Learn about the Policy CSP - ADMX_iSCSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_iSCSI diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 5ea252a9f3..ec99d97b12 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_kdc description: Learn about the Policy CSP - ADMX_kdc. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_kdc diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index a70fa508b8..3cbff4ed32 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Kerberos description: Learn about the Policy CSP - ADMX_Kerberos. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Kerberos diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 4baef48f3a..3fe3659069 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LanmanServer description: Learn about the Policy CSP - ADMX_LanmanServer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LanmanServer diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 1459422b9a..969840fdeb 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LanmanWorkstation description: Learn about the Policy CSP - ADMX_LanmanWorkstation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LanmanWorkstation diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index abf93f8dcf..2f421ddce0 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LeakDiagnostic description: Learn about the Policy CSP - ADMX_LeakDiagnostic. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LeakDiagnostic diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 8af8087093..ac18bf4c6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LinkLayerTopologyDiscovery description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/04/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LinkLayerTopologyDiscovery diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index 34d7b1561d..6557e565a3 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LocationProviderAdm description: Learn about Policy CSP - ADMX_LocationProviderAdm. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LocationProviderAdm diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 39410f580e..3386f503ec 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Logon description: Learn about Policy CSP - ADMX_Logon. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Logon diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index b600ea3664..62d92eb76a 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MicrosoftDefenderAntivirus description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 01/03/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MicrosoftDefenderAntivirus diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 66f7ee9fa5..1d1d07a118 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MMC description: Learn about Policy CSP - ADMX_MMC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MMC diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index 42d6a7faa7..1dc887ce45 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MMCSnapins description: Learn about Policy CSP - ADMX_MMCSnapins. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MMCSnapins diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index 5beff76d0e..462bfc2801 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MobilePCMobilityCenter description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MobilePCMobilityCenter diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index 382e64f23d..a0b6581b36 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MobilePCPresentationSettings description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MobilePCPresentationSettings diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index e95aac830e..a706344772 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSAPolicy description: Learn about Policy CSP - ADMX_MSAPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSAPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index a3e9d15464..039423c269 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_msched description: Learn about Policy CSP - ADMX_msched. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_msched diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 01e72fdc64..3cf6d8ccbd 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSDT description: Learn about Policy CSP - ADMX_MSDT. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSDT diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index af31120c3c..ee2aa88f20 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSI description: Learn about Policy CSP - ADMX_MSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSI diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 54717a8f50..b1d046c306 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MsiFileRecovery description: Learn about Policy CSP - ADMX_MsiFileRecovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MsiFileRecovery diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 2b520f4ec5..7bfd8617d3 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_nca description: Policy CSP - ADMX_nca -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_nca diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 41bfae8db7..ddb9baa7e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_NCSI description: Learn about Policy CSP - ADMX_NCSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_NCSI diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 517f41ab17..119133aa16 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Netlogon description: Learn about Policy CSP - ADMX_Netlogon. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Netlogon diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 210fdcd3ca..178901d5b6 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_NetworkConnections description: Learn about Policy CSP - ADMX_NetworkConnections. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_NetworkConnections diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 7d60db6150..efc0936d36 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_OfflineFiles description: Learn about Policy CSP - ADMX_OfflineFiles. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_OfflineFiles diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 21b21c87e2..28a333dfcc 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_pca description: Learn about Policy CSP - ADMX_pca. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_pca diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 7218cc97d6..b5e4199768 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PeerToPeerCaching description: Learn about Policy CSP - ADMX_PeerToPeerCaching. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PeerToPeerCaching diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index faf9afb98a..322223fccc 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PenTraining description: Learn about Policy CSP - ADMX_PenTraining. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PenTraining diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 18ce028bb6..7c956fcf64 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PerformanceDiagnostics description: Learn about Policy CSP - ADMX_PerformanceDiagnostics. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PerformanceDiagnostics diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index d77be55b2b..e1e9ee133b 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Power description: Learn about Policy CSP - ADMX_Power. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Power diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index d9933722cc..0818fc3b94 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PowerShellExecutionPolicy description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PowerShellExecutionPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index cb7bb6a236..05320e6fd6 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PreviousVersions description: Policy CSP - ADMX_PreviousVersions -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PreviousVersions diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index fa322d02d0..f107901b56 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Printing description: Learn about Policy CSP - ADMX_Printing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Printing diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 74159d9d3c..3032187dbe 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Printing2 description: Learn about Policy CSP - ADMX_Printing2. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Printing2 diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 681645a684..3758a6ba32 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Programs description: Learn about Policy CSP - ADMX_Programs. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Programs diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index 4e6309ff2a..d5ba645c1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PushToInstall description: Learn about Policy CSP - ADMX_PushToInstall. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PushToInstall diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index dc01eef4a8..bcfa2454cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Radar description: Learn about Policy CSP - ADMX_Radar. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Radar diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index fd6026410b..08a42720fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Reliability description: Policy CSP - ADMX_Reliability -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Reliability diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 5433779640..5d6a8d5676 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RemoteAssistance description: Learn about Policy CSP - ADMX_RemoteAssistance. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RemoteAssistance diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index a823f286cf..f4f47dc890 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RemovableStorage description: Learn about Policy CSP - ADMX_RemovableStorage. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RemovableStorage diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 5215c95259..6f085b0205 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RPC description: Learn about Policy CSP - ADMX_RPC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RPC diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 06fc58ebc7..fec515d046 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Scripts description: Learn about Policy CSP - ADMX_Scripts. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Scripts diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 7d9082639e..354380bdd2 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_sdiageng description: Learn about Policy CSP - ADMX_sdiageng. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_sdiageng diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 1b35263fab..84cea15e19 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_sdiagschd description: Learn about Policy CSP - ADMX_sdiagschd. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_sdiagschd diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index db28229ae8..66efb88c7f 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Securitycenter description: Learn about Policy CSP - ADMX_Securitycenter. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Securitycenter diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 2849e15624..37049367dc 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Sensors description: Learn about Policy CSP - ADMX_Sensors. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Sensors diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index a14eb4488d..2f5de5c9a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ServerManager description: Learn about Policy CSP - ADMX_ServerManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ServerManager diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index e4d18d9a66..07ca3a013c 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Servicing description: Learn about Policy CSP - ADMX_Servicing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Servicing diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index c7355a160c..c68630eec1 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SettingSync description: Learn about Policy CSP - ADMX_SettingSync. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SettingSync diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index c48eab98b9..a018d51a65 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SharedFolders description: Learn about Policy CSP - ADMX_SharedFolders. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SharedFolders diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 9a02cd3b35..77f8afb7f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Sharing description: Learn about Policy CSP - ADMX_Sharing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Sharing diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e226b26906..fa6a4ebe37 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ShellCommandPromptRegEditTools description: Learn about Policy CSP - ADMX_ShellCommandPromptRegEditTools. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ShellCommandPromptRegEditTools diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 6c6fae1e34..8145f4e15f 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Smartcard description: Learn about Policy CSP - ADMX_Smartcard. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Smartcard diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 0767b4c97c..a65f75e734 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Snmp description: Learn about Policy CSP - ADMX_Snmp. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/24/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Snmp diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index 77dcf00f34..dcc94a5737 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SoundRec description: Learn about Policy CSP - ADMX_SoundRec. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SoundRec diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index 125aec535d..b5f0f4d1cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_srmfci description: Learn about Policy CSP - ADMX_srmfci. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_srmfci diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 78b189b308..8c6e907ba3 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_StartMenu description: Learn about Policy CSP - ADMX_StartMenu. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_StartMenu diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 3349d83359..4ca5a3d3a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SystemRestore description: Learn about Policy CSP - ADMX_SystemRestore. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SystemRestore diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 2517de0c90..cfc57b2098 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TabletShell description: Learn about Policy CSP - ADMX_TabletShell. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TabletShell diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 259cfc544c..3436685cc9 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Taskbar description: Learn about Policy CSP - ADMX_Taskbar. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Taskbar diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 227131133b..7ef48341ef 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_tcpip description: Learn about Policy CSP - ADMX_tcpip. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_tcpip diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 3f070da798..f4dd3f6be6 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TerminalServer description: Learn about Policy CSP - ADMX_TerminalServer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TerminalServer diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 4cbe4a167f..b8a2fd7483 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Thumbnails description: Learn about Policy CSP - ADMX_Thumbnails. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/25/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Thumbnails diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 477fec0b8c..776951f78d 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TouchInput description: Learn about Policy CSP - ADMX_TouchInput. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TouchInput diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index c7e72a4d44..2e39f46e4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TPM description: Learn about Policy CSP - ADMX_TPM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/25/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TPM diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index 1b4c199855..c5a2aabcc3 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_UserExperienceVirtualization description: Learn about Policy CSP - ADMX_UserExperienceVirtualization. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/30/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_UserExperienceVirtualization diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 799a90014c..f6d9875e16 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_UserProfiles description: Learn about Policy CSP - ADMX_UserProfiles. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_UserProfiles diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 7324ca3459..9ec5b2733d 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_W32Time description: Learn about Policy CSP - ADMX_W32Time. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_W32Time diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index eeeacfe4ca..d396e0aaae 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WCM description: Learn about Policy CSP - ADMX_WCM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WCM diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index a5b1ce11d8..b3a2aefd94 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WDI description: Learn about Policy CSP - ADMX_WDI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WDI diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index 81cb16ebed..410eda6d2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinCal description: Policy CSP - ADMX_WinCal -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinCal diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 08e1bacf93..c575e5f9a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsColorSystem description: Policy CSP - ADMX_WindowsColorSystem -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsColorSystem diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 59c5880a8b..8d93498e0d 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsConnectNow description: Policy CSP - ADMX_WindowsConnectNow -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsConnectNow diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index cb885ee871..5dd0274b06 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsExplorer description: Policy CSP - ADMX_WindowsExplorer -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/29/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsExplorer diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index d8b921b3e5..e2b7d6b653 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsMediaDRM description: Policy CSP - ADMX_WindowsMediaDRM -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsMediaDRM diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index dee6a3efe7..15f9ca5c47 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsMediaPlayer description: Policy CSP - ADMX_WindowsMediaPlayer -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsMediaPlayer diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 927b7686c7..902f22ebc8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsRemoteManagement description: Policy CSP - ADMX_WindowsRemoteManagement -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsRemoteManagement diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 72fffb643f..3a56097a51 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsStore description: Policy CSP - ADMX_WindowsStore -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsStore diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index 421da6c478..0f1c09fbca 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinInit description: Policy CSP - ADMX_WinInit -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/29/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinInit diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index 92bcea8397..767e746db8 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinLogon description: Policy CSP - ADMX_WinLogon -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinLogon diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 9b5ea557d1..7d744cb320 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Winsrv description: Policy CSP - ADMX_Winsrv -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Winsrv diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index aeda8eb64c..146fa04b1b 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_wlansvc description: Policy CSP - ADMX_wlansvc -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_wlansvc diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 57124ac9b3..b027226ee8 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WordWheel description: Policy CSP - ADMX_WordWheel -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WordWheel diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 3a455a27b2..56d08ee87f 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WorkFoldersClient description: Policy CSP - ADMX_WorkFoldersClient -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WorkFoldersClient diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 857a782385..6397e4e333 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WPN description: Policy CSP - ADMX_WPN -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WPN diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 08788dc5cf..db27b3a605 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ApplicationDefaults description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ApplicationDefaults diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a7f90d8ef1..a9bd9d1f06 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ApplicationManagement description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ApplicationManagement diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index a73acd40df..ab3b3c38da 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AppRuntime description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AppRuntime diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 04b7a70206..9803e28948 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AppVirtualization description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AppVirtualization diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 321527a0e3..2878642c3e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AttachmentManager description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AttachmentManager diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 2673bc236e..f70ec5324f 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,11 +1,11 @@ --- title: Policy CSP - Audit description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 --- diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index b934f952aa..b7a3091207 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,14 +1,14 @@ --- title: Policy CSP - Authentication description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: bobgil -manager: dansimp +manager: aaroncz --- # Policy CSP - Authentication diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index ac10523d39..cbccee0f6f 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Autoplay description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Autoplay diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index e56c8f51fb..7aa01b7d63 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,15 +1,15 @@ --- title: Policy CSP - BitLocker description: Use the Policy configuration service provider (CSP) - BitLocker to manage encryption of PCs and devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - BitLocker diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 19cb5e2ce2..639d2c8e86 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,15 +1,15 @@ --- title: Policy CSP - BITS -description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. -ms.author: dansimp +description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - BITS diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 8312708e30..0a044cfc57 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Bluetooth description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Bluetooth diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 2c340877a4..6da1550f1d 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4,11 +4,11 @@ description: Learn how to use the Policy CSP - Browser settings so you can confi ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz ms.localizationpriority: medium --- diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 64b48bbc40..ed98c5d85b 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Camera description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Camera diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 62837b80db..eb2180cddd 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Cellular description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Cellular diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 661ffccaf9..f4dc267b7a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Connectivity description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz --- # Policy CSP - Connectivity diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index d795f177d4..da457db759 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,14 +1,14 @@ --- title: Policy CSP - ControlPolicyConflict description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ControlPolicyConflict diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index beeffe2585..28f4edb5ec 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialProviders description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialProviders diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index e459f00b15..4236a94376 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialsDelegation description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialsDelegation diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index d126286e24..fd869a6c75 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialsUI description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialsUI diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 31ebde8cc2..1eb727623a 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Cryptography description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Cryptography diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 43dc6aeab0..9bb4559320 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DataProtection description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DataProtection diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 5e271eabfc..0950d10f87 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DataUsage -description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. -ms.author: dansimp +description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DataUsage diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 8912143332..6c42ebfde5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Defender description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 05/12/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index f49ee66cee..f272b05108 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeliveryOptimization description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeliveryOptimization diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 4d3d97a6bd..6e4f8b2502 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Desktop description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Desktop diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 09369cf747..d34fce4b14 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceGuard description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceGuard diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 65ccf2ff72..b412a147d6 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceHealthMonitoring description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceHealthMonitoring diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ee81f379cf..9ba8e12f78 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,14 +1,14 @@ --- title: Policy CSP - DeviceInstallation ms.reviewer: -manager: dansimp +manager: aaroncz description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. -ms.author: dansimp +ms.author: vinpa ms.date: 09/27/2019 ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium --- diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 39fa89a03f..96b7ecf2c1 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceLock description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 05/16/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceLock diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 25318d988f..601c24c077 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Display description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Display diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 648380d02b..1188039966 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DmaGuard description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DmaGuard diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 94c84c45ca..9b16db9fd4 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EAP -description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. -ms.author: dansimp +description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EAP diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index edab7bcabf..1fd25bb275 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Education -description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. -ms.author: dansimp +description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Education diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index df2804c31e..2c125b1d1f 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EnterpriseCloudPrint description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EnterpriseCloudPrint diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 720f5cae3c..f387a56a6e 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ErrorReporting description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ErrorReporting diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 1616de5ece..3212b6504e 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EventLogService description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EventLogService diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ae3ff0f9a6..a2da6374ab 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Experience description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Experience diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 80582e1ec2..c187c4bbef 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ExploitGuard description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ExploitGuard diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index f8a8f5eea5..281f12f579 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. -ms.author: v-nsatapathy +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Feeds diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index b46e93af9c..5f49f1d40e 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - FileExplorer description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - FileExplorer diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index e6fde52f63..16a07d2e71 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Games description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Games diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 8602af165b..3146be4db8 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Handwriting description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Handwriting diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 8b672ccbbf..df30b8f920 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,15 +1,15 @@ --- title: Policy CSP - HumanPresence description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - HumanPresence diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 9d519bfe5d..ef76b0c2fb 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,14 +1,14 @@ --- title: Policy CSP - InternetExplorer description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - InternetExplorer diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 5e4320bf4c..0e1fdaeb77 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Kerberos description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Kerberos diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index e5a08afafe..e1456fa569 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,15 +1,15 @@ --- title: Policy CSP - KioskBrowser description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - KioskBrowser diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 40e82cbc5d..15b727545c 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LanmanWorkstation description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LanmanWorkstation diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 80e2f0bd5a..af74d4384d 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Licensing description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Licensing diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index af2cf856e3..21dfa77d35 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LocalPoliciesSecurityOptions description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 12/16/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LocalPoliciesSecurityOptions diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 46d691f702..c2c636a46f 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LocalUsersAndGroups description: Policy CSP - LocalUsersAndGroups -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LocalUsersAndGroups diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 97ea810006..7b338795e8 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LockDown description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LockDown diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 6ee7e3956d..d62a84d748 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Maps description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Maps diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index 92d62d27ee..37bcafe0e4 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MemoryDump description: Use the Policy CSP -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MemoryDump diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index f002adc108..ea92d4a966 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Messaging description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Messaging diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index b0f1607d6b..1467f5ebf7 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,14 +1,14 @@ --- title: Policy CSP - MixedReality description: Policy CSP - MixedReality -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MixedReality diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index c85466d3ee..d2b17be697 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MSSecurityGuide description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MSSecurityGuide diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 83db3103f2..d6d732e4cf 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MSSLegacy -description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. -ms.author: dansimp +description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MSSLegacy diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 9f93048ae9..0329b17188 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Multitasking description: Policy CSP - Multitasking -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/30/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Multitasking diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 4b81789c59..d2d4a901b0 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NetworkIsolation description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NetworkIsolation diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 72328ad669..bd33a1ddfa 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NetworkListManager description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. -ms.author: v-nsatapathy +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 12/16/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NetworkListManager diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 6eb42f6671..59566c1026 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NewsAndInterests description: Learn how Policy CSP - NewsandInterests contains a list of news and interests. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NewsAndInterests diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3039a6845a..32ddde9d1a 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Notifications description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Notifications diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index ca3d7e34bd..117535d8e7 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Power description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Power diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 3fe4de393e..bcce2e1390 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Printers -description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. -ms.author: dansimp +description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Printers diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 6f984cad6c..eef582a24e 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Privacy description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Privacy diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 0faafb160a..eb47527466 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteAssistance description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteAssistance diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 077e297205..85588a127d 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteDesktop description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteDesktop diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index bc4a782639..09f3f50725 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteDesktopServices description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteDesktopServices diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 82936149da..ff88b2a36d 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteManagement description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteManagement diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 29a499d619..8708f25937 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteProcedureCall description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteProcedureCall diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 9596508d36..53820c929c 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteShell description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteShell diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 74e05f8d7b..4e4e6b8876 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RestrictedGroups description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 04/07/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RestrictedGroups diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 6c61c3e748..60777e520f 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Search description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Search diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 7399515109..dced08216c 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Security description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Security diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 55e1034d36..20f852795a 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,7 +1,7 @@ --- title: Policy CSP - ServiceControlManager description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 1b3303cfb8..37e5e21450 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Settings description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Settings diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index cb36588175..11d6e32c39 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,15 +1,15 @@ --- title: Policy CSP - SmartScreen description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - SmartScreen diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index f46af42add..b97360b3f1 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Speech description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Speech diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 3eacbd485d..e794d81f7b 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Start description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Start diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a9e43b4855..d0117fde5d 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Storage description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 03/25/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Storage diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b44458dd98..4e5c11cbed 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,15 +1,15 @@ --- title: Policy CSP - System description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/26/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - System diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 7ecb2141a8..dda3779328 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,15 +1,15 @@ --- title: Policy CSP - SystemServices description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - SystemServices diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 123b672f38..359565b3aa 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TaskManager description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TaskManager diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 841d5e8f3e..f6493ca356 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TaskScheduler description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TaskScheduler diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 0d6692ed2c..f2976b8893 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TextInput description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 03/03/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TextInput diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index a580e736f3..610c3a4580 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TimeLanguageSettings description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/28/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TimeLanguageSettings diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index d588058db0..44b6119a56 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,11 +1,11 @@ --- title: Policy CSP - Troubleshooting description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 --- diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 53012c6503..384768cd58 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Update description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/15/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 9d126f072e..628076c675 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,15 +1,15 @@ --- title: Policy CSP - UserRights description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/24/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - UserRights diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index 4d39b65348..1647ce615c 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,15 +1,15 @@ --- title: Policy CSP - VirtualizationBasedTechnology description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: alekyaj +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - VirtualizationBasedTechnology diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5306104d5c..8d71416429 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Wifi description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Wifi diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 5f934b05bd..80be71fb1a 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsAutoPilot description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: alekyaj +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsAutoPilot diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index efce371108..8ebc7d88fe 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsConnectionManager description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain-based network and a non-domain-based network simultaneously. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsConnectionManager diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 665a0824e5..874ba7b1ce 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsDefenderSecurityCenter -description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. -ms.author: dansimp +description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsDefenderSecurityCenter diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index b6cd4ac1ab..6879085541 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsInkWorkspace description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsInkWorkspace diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4951a14248..bb762016fc 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsLogon description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsLogon diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 2aa49f3cfb..e03c8cee0e 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsPowerShell description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsPowerShell diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index 8a946c0358..b66b784a64 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,11 +1,11 @@ --- title: Policy CSP - WindowsSandbox description: Policy CSP - WindowsSandbox -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/14/2020 --- diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 54953f93ee..f3891cb68f 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WirelessDisplay description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WirelessDisplay diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index bffc844378..16bce236f5 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -2,12 +2,12 @@ title: Policy DDF file description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/28/2020 --- diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index cf2bf86897..5b0882d135 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -2,12 +2,12 @@ title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 5c41f9aa36..5f5f318d06 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -1,16 +1,16 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -MS-HAID: -- 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' -- 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' +MS-HAID: + - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' + - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index cae3527452..78bb60896b 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -2,12 +2,12 @@ title: PXLOGICAL configuration service provider description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 1934327705..50bb03819f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -2,12 +2,12 @@ title: Reboot CSP description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index ec6084c3b0..3628eaf7e4 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -2,12 +2,12 @@ title: Reboot DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index c5f35430d4..bdd37fcbbe 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -2,12 +2,12 @@ title: Reclaim seat from user description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/05/2020 --- diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index a51ff42cae..c73053417b 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -2,12 +2,12 @@ title: Register your free Azure Active Directory subscription description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 4453fedf30..96140781af 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -2,12 +2,12 @@ title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index 1cc00be86b..e92498a5f3 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -2,12 +2,12 @@ title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 0e0012bb4b..441f69fe60 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -2,12 +2,12 @@ title: RemoteRing CSP description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 8417d9c8af..07413835c9 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -2,12 +2,12 @@ title: RemoteWipe CSP description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 --- diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index b78051384b..290767b7a1 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -2,12 +2,12 @@ title: RemoteWipe DDF file description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 --- diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index b35de0f323..79814579cb 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -2,12 +2,12 @@ title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index ac2bc0f113..a18c3cb3b6 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -2,12 +2,12 @@ title: Reporting DDF file description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index ef51421942..3dc28440bd 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: REST API reference for Microsoft Store for Business description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' -- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' + - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index cbfbf19ba1..0ff47616c0 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -2,12 +2,12 @@ title: RootCATrustedCertificates CSP description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/06/2018 --- diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index cc11893ef0..67f5c3a6d7 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -2,12 +2,12 @@ title: RootCATrustedCertificates DDF file description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/07/2018 --- diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index b973e23145..2f16f647de 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -2,12 +2,12 @@ title: SecureAssessment CSP description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 9c0896a99d..67118163ea 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -2,12 +2,12 @@ title: SecureAssessment DDF file description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 0f55bf6958..a3f9722270 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -2,12 +2,12 @@ title: SecurityPolicy CSP description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index f0cade5d43..1f89f971a0 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -1,16 +1,16 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -MS-HAID: -- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' -- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' +MS-HAID: + - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' + - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index f1c190ab44..1e4509043f 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -2,12 +2,12 @@ title: SharedPC CSP description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 01/16/2019 --- diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 359f191981..1eb414317a 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -2,12 +2,12 @@ title: SharedPC DDF file description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index d9df5b94c6..03f3fe6afa 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -2,12 +2,12 @@ title: Storage CSP description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index c5870a9cb4..4d2a9283a7 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -2,12 +2,12 @@ title: Storage DDF file description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index 15ee879130..d34d3c1746 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -2,12 +2,12 @@ title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 42cfa00702..802b366a55 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -2,12 +2,12 @@ title: SUPL CSP description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/12/2019 --- diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 5d250c07da..62a7531702 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -2,12 +2,12 @@ title: SUPL DDF file description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/03/2020 --- diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 7dc0ffb4eb..a7ea49f35d 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -2,12 +2,12 @@ title: SurfaceHub CSP description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 1a8a825bde..3f66986007 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -2,12 +2,12 @@ title: SurfaceHub DDF file description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index a4b4565694..c271871ce1 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -1,14 +1,14 @@ --- title: TenantLockdown CSP description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TenantLockdown CSP diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md index e85778cb28..12dc9f5348 100644 --- a/windows/client-management/mdm/tenantlockdown-ddf.md +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -1,14 +1,14 @@ --- title: TenantLockdown DDF file description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TenantLockdown DDF file diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 698e2bf85e..14bb56f7ca 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -1,14 +1,14 @@ --- title: TPMPolicy CSP description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TPMPolicy CSP diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index 5cd81b56b7..42f7a373d5 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -1,14 +1,14 @@ --- title: TPMPolicy DDF file description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TPMPolicy DDF file diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index fd47c179fa..b1fd8cdde4 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -1,14 +1,14 @@ --- title: UEFI CSP description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # UEFI CSP diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index 0124a0a281..51dec0bdd7 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -1,14 +1,14 @@ --- title: UEFI DDF file description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # UEFI DDF file diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index da5516f990..c21a7a2573 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -1,14 +1,14 @@ --- title: Understanding ADMX policies description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Understanding ADMX policies diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 46abb8acab..6e9a7e9322 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -2,12 +2,12 @@ title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index 51a25e686a..f6cfcd2307 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -2,12 +2,12 @@ title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md index fab5cf6f5e..bb4cae4a7b 100644 --- a/windows/client-management/mdm/universalprint-csp.md +++ b/windows/client-management/mdm/universalprint-csp.md @@ -1,14 +1,14 @@ --- title: UniversalPrint CSP description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices. -ms.author: mandia +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MandiOhlinger +author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: dougeby +manager: aaroncz --- # UniversalPrint CSP diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md index cc624c9c29..6e8412dfa0 100644 --- a/windows/client-management/mdm/universalprint-ddf-file.md +++ b/windows/client-management/mdm/universalprint-ddf-file.md @@ -1,14 +1,14 @@ --- title: UniversalPrint DDF file description: UniversalPrint DDF file -ms.author: mandia +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MandiOhlinger +author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: dougeby +manager: aaroncz --- # UniversalPrint DDF file diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 8924365745..e7c54fb69a 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -2,12 +2,12 @@ title: Update CSP description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index 3daad32697..06da8be6f1 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -2,12 +2,12 @@ title: Update DDF file description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index 6d66ae073b..d42e777b93 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -2,12 +2,12 @@ title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index e26ae9c716..6d484acd8d 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -2,12 +2,12 @@ title: VPN CSP description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/02/2017 --- diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index a59443bf05..4cf629cb79 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -2,12 +2,12 @@ title: VPN DDF file description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 053e642943..fb60f1756f 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -2,12 +2,12 @@ title: VPNv2 CSP description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. ms.reviewer: pesmith -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2021 --- diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index d94de5b3c6..ec744e211f 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -2,12 +2,12 @@ title: VPNv2 DDF file description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. ms.reviewer: pesmith -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/30/2020 --- diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index b1daeaf543..6e67b7102c 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -1,13 +1,13 @@ --- title: ProfileXML XSD description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. -ms.reviewer: -manager: dansimp -ms.author: dansimp +ms.reviewer: +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/14/2020 --- diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index a8d705d870..7bc64259b1 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -2,12 +2,12 @@ title: w4 APPLICATION CSP description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index cf703e5dca..f5dc037820 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -2,12 +2,12 @@ title: w7 APPLICATION CSP description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 4c2daf739b..60791f3a53 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,13 +1,13 @@ --- title: WiFi CSP -description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. +description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/18/2019 --- diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index 295832f932..3f1d8d46e7 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -2,12 +2,12 @@ title: WiFi DDF file description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2018 --- diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index f822a664d9..824f17444b 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -1,14 +1,14 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32 and Desktop Bridge app ADMX policy Ingestion diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index c3d3098f0a..82a4e341dd 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -2,12 +2,12 @@ title: Win32AppInventory CSP description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index cbb05d50b8..9cd08b73e2 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -2,12 +2,12 @@ title: Win32AppInventory DDF file description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index ea3289d926..816e68336d 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -1,14 +1,14 @@ --- title: Win32CompatibilityAppraiser CSP description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32CompatibilityAppraiser CSP diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 057c668a74..56b7cbd8ed 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -1,14 +1,14 @@ --- title: Win32CompatibilityAppraiser DDF file description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32CompatibilityAppraiser DDF file diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index 6ae938bf13..0c7b48f2a8 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -1,16 +1,16 @@ --- title: Enterprise settings, policies, and app management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -MS-HAID: -- 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' -- 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' +MS-HAID: + - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' + - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 153d3dd342..48b0ea237e 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -2,12 +2,12 @@ title: WindowsAdvancedThreatProtection CSP description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 044557e1f2..cddb4f73e0 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -3,12 +3,12 @@ title: WindowsAdvancedThreatProtection DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index f1a5f8bb5b..b50630eea2 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -2,12 +2,12 @@ title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. ms.reviewer: -manager: dansimp -ms.author: v-nsatapathy +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/09/2022 --- diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index d6f71e89a4..dfc52ce96c 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,14 +1,14 @@ --- title: WindowsAutopilot DDF file description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) . -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/07/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsAutopilot DDF file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 6a9c6a3055..e8c9563d43 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,14 +1,14 @@ --- title: WindowsDefenderApplicationGuard CSP description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/02/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsDefenderApplicationGuard CSP diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index d910c1b600..c49a7214d2 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,14 +1,14 @@ --- title: WindowsDefenderApplicationGuard DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/10/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsDefenderApplicationGuard DDF file diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 0345c70924..f120a8272e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -2,12 +2,12 @@ title: WindowsLicensing CSP description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 --- diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index c570da1af6..6ebeec7c74 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -2,12 +2,12 @@ title: WindowsLicensing DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/16/2017 --- diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index ff85447bbd..dd76d25d3e 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,14 +1,14 @@ --- title: WiredNetwork CSP description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/27/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WiredNetwork CSP diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index f527c65745..9d071d2ad5 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,14 +1,14 @@ --- title: WiredNetwork DDF file -description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. -ms.author: dansimp +description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WiredNetwork DDF file diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index c185fbbae1..3026a02d56 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -1,16 +1,16 @@ --- title: WMI providers supported in Windows 10 description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -MS-HAID: -- 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' -- 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' +MS-HAID: + - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' + - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 386ac0ed29..5bc9aad966 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -2,10 +2,10 @@ title: New policies for Windows 10 (Windows 10) description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/15/2021 ms.topic: reference diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 28cd4f3642..b648d8d7c1 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -5,9 +5,9 @@ ms.prod: w10 ms.topic: article ms.technology: windows ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.reviewer: pmadrigal ms.collection: highpri --- diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 021f22ec21..6dd2f0b24a 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -2,10 +2,10 @@ title: Windows 10 support solutions description: Learn where to find information about troubleshooting Windows 10 issues, for example BitLocker issues and bugcheck errors. ms.reviewer: kaushika -manager: dansimp +manager: aaroncz ms.prod: w10 -ms.author: kaushika -author: kaushika-msft +ms.author: vinpa +author: vinaypamnani-msft ms.localizationpriority: medium ms.topic: troubleshooting --- diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index ffa5ea88a4..2ec424585c 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -1,13 +1,13 @@ --- ms.reviewer: -manager: dansimp +manager: aaroncz title: Windows Libraries ms.prod: windows-server-threshold -ms.author: dansimp +ms.author: vinpa ms.manager: dongill ms.technology: storage ms.topic: article -author: dansimp +author: vinaypamnani-msft description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.date: 09/15/2021 --- diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index ee3d39847a..939d36455a 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -5,11 +5,11 @@ keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 04/30/2018 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: troubleshooting --- diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index eb7ef825c6..350a9ffd87 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -2,10 +2,10 @@ title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10) description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 11/28/2017 diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index e5de9e2f90..53a58baf77 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,17 +1,17 @@ --- title: Configure Windows 10 taskbar (Windows 10) -description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] +description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: [taskbar layout, pin apps] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.collection: highpri --- # Configure Windows 10 taskbar diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 5f13879817..747d7491b2 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -2,10 +2,10 @@ title: Customize and export Start layout (Windows 10) description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 069e047309..d50036f2c7 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,11 +1,11 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index 51335436d5..f9af3940ce 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,11 +1,11 @@ --- title: Configure and customize Windows 11 taskbar | Microsoft Docs description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 15c1cc2cad..dff79978bd 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -2,11 +2,11 @@ title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.collection: highpri --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index fb50dc5a39..d14d3320b6 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -2,11 +2,11 @@ title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.topic: article -ms.author: aaroncz +ms.author: lizlong ms.localizationpriority: medium ms.date: 08/05/2021 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 0a2038ce7d..33777e162b 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -2,10 +2,10 @@ title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 6691dbace6..27d56ce3c5 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -1,10 +1,10 @@ --- title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm -manager: dougeby -description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. -author: aczechowski -ms.author: aaroncz +manager: aaroncz +description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: w10 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 04f81753d3..28d7a44308 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,16 +1,16 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: ["kiosk", "lockdown", "assigned access"] +keywords: [kiosk, lockdown, assigned access] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index fda7a6c1da..3028bbe1c0 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -2,10 +2,10 @@ title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: reference --- diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 509e5e3983..abda04599e 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -2,10 +2,10 @@ title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index b0fe2894f6..f2071ae8ea 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -1,12 +1,12 @@ --- title: Configure kiosks and digital signs on Windows 10/11 desktop editions ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski +author: lizgt2000 ms.topic: article ms.collection: highpri --- diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index a531192fa3..fda5b337bf 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -2,11 +2,11 @@ title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 2712131087..011b3f06f3 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -2,10 +2,10 @@ title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 075be3e488..b2ccf80c40 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -2,10 +2,10 @@ title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 7c13c2715e..8410a63f1f 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -2,10 +2,10 @@ title: Set up a single-app kiosk on Windows 10/11 description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 091872a845..ad0602aff4 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -2,11 +2,11 @@ title: Troubleshoot kiosk mode issues (Windows 10/11) description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index dfc4d3e91d..6a43b111e8 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -2,10 +2,10 @@ title: Validate kiosk configuration (Windows 10/11) description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index a5f84dcc40..d26ff8c364 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -2,11 +2,11 @@ title: Assigned Access configuration kiosk XML reference (Windows 10/11) description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 4552e63e33..7c5751d47e 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -2,12 +2,12 @@ title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10) description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 07/30/2018 -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index fcc521e9df..209003e5e1 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -3,9 +3,9 @@ title: Set up a multi-app kiosk on Windows 10 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.prod: w10 ms.technology: windows -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: lizgt2000 +ms.author: lizlong +manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index caeb98056f..05bf244383 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -1,11 +1,11 @@ --- title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. +description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 6eb41bde06..13dd5ee45a 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -1,14 +1,14 @@ --- title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) -description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. +description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/20/2017 ms.reviewer: -manager: dougeby +manager: aaroncz --- # Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 1bd58d5c1e..eaff525abc 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -2,10 +2,10 @@ title: Manage Wi-Fi Sense in your company (Windows 10) description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index a168bce8f6..2971e83a97 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -2,10 +2,10 @@ title: Configure cellular settings for tablets and PCs (Windows 10) description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/13/2018 diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index b37a32b863..3e4b126512 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,11 +1,11 @@ --- title: Configuration service providers for IT pros (Windows 10/11) -description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. +description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 53591bd83f..149f92d455 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,11 +1,11 @@ --- title: Provision PCs with common settings (Windows 10/11) -description: Create a provisioning package to apply common settings to a PC running Windows 10. +description: Create a provisioning package to apply common settings to a PC running Windows 10. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 45c362c928..2e3e08cf89 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -1,14 +1,14 @@ --- title: Provision PCs with apps and certificates (Windows 10) -description: Create a provisioning package to apply settings to a PC running Windows 10. +description: Create a provisioning package to apply settings to a PC running Windows 10. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: -manager: dougeby +manager: aaroncz --- # Provision PCs with apps and certificates for initial deployment (advanced provisioning) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index b35c477258..c96322afd3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -2,12 +2,12 @@ title: Provision PCs with apps (Windows 10/11) description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Provision PCs with apps diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 97a1f3bd50..f3f3796147 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,13 +1,13 @@ --- title: Apply a provisioning package (Windows 10/11) -description: Provisioning packages can be applied to a device during initial setup (OOBE) and after ("runtime"). +description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime). ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Apply a provisioning package diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index fbe7aecde9..365710b8c3 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -2,12 +2,12 @@ title: Windows Configuration Designer command-line interface (Windows 10/11) description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Windows Configuration Designer command-line interface (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 3d88ee9da1..a7fc0987ba 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -2,12 +2,12 @@ title: Create a provisioning package (Windows 10/11) description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 5d03c7ed2f..935cd2807e 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,13 +1,13 @@ --- title: How provisioning works in Windows 10/11 -description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. +description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # How provisioning works in Windows diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index bae03efaf1..6440a0c7d2 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,13 +1,13 @@ --- title: Install Windows Configuration Designer (Windows 10/11) -description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. +description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 65b4475739..36f22395b0 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -2,12 +2,12 @@ title: Create a provisioning package with multivariant settings (Windows 10/11) description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong --- # Create a provisioning package with multivariant settings diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index b37ea19251..48a18fc43e 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -2,10 +2,10 @@ title: Provisioning packages overview on Windows 10/11 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.collection: highpri diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 0698178c23..76c5aaf5a9 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -2,12 +2,12 @@ title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # PowerShell cmdlets for provisioning Windows client (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index e768666071..b203cd0294 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -2,12 +2,12 @@ title: Use a script to install a desktop app in provisioning packages (Windows 10/11) description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Use a script to install a desktop app in provisioning packages diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 6dc35cd108..553df87c89 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -2,12 +2,12 @@ title: Uninstall a provisioning package - reverted settings (Windows 10/11) description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Settings changed when you uninstall a provisioning package diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index a9bfdbcfdf..191ecb60c4 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -2,12 +2,12 @@ title: Set up a shared or guest PC with Windows 10/11 description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index dff1da75a5..572cd93eff 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -2,10 +2,10 @@ title: Set up digital signs on Windows 10/11 description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). ms.reviewer: sybruckm -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 09/20/2021 ms.topic: article diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 793a35d714..28d3a28707 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -2,11 +2,11 @@ title: Troubleshoot Start menu errors description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +ms.author: lizlong +author: lizgt2000 ms.localizationpriority: medium ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: troubleshooting ms.collection: highpri --- diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index ffcdeef194..4d719d63a3 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -2,12 +2,12 @@ title: Start layout XML for desktop editions of Windows 10 (Windows 10) description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.date: 10/02/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 20c333fb2d..23f838107a 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -3,11 +3,11 @@ title: Add image for secondary Microsoft Edge tiles (Windows 10) description: Add app tiles on Windows 10 that's a secondary tile. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz --- # Add image for secondary Microsoft Edge tiles diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index e819e8e329..03338078f4 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -2,10 +2,10 @@ title: Configure access to Microsoft Store (Windows 10) description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 4/16/2018 diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 30ef22ea5a..cc9735faab 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -1,11 +1,11 @@ --- title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium --- diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index 40ada8b099..da0f246bc9 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -1,11 +1,11 @@ --- title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium --- diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 7216a009d5..6bd9df7cb4 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -1,14 +1,14 @@ --- title: Windows 10 accessibility information for IT Pros (Windows 10) -description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them +description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: w10 -ms.author: aaroncz -author: aczechowski +ms.author: lizlong +author: lizgt2000 ms.localizationpriority: medium ms.date: 01/12/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: reference --- diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 4965185168..11028a1ef0 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -2,10 +2,10 @@ title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 1843dcff55..fcf7dec824 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -2,10 +2,10 @@ title: Configure Windows Spotlight on the lock screen (Windows 10) description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: lizgt2000 +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 35e59bd128..073d1e0582 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -202,9 +202,13 @@ - name: Use Update Compliance (preview) items: - name: Use Update Compliance - href: update/update-compliance-v2-use.md + href: update/update-compliance-v2-use.md + - name: Update Compliance workbook + href: update/update-compliance-v2-workbook.md - name: Software updates in the Microsoft admin center (preview) - href: update/update-status-admin-center.md + href: update/update-status-admin-center.md + - name: Feedback, support, and troubleshooting + href: update/update-compliance-v2-help.md - name: Update Compliance schema reference (preview) items: - name: Update Compliance schema reference diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 1e4ef75b50..af75531621 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -21,8 +21,8 @@ Operating system images are typically the production image used for deployment t ## Infrastructure -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -46,7 +46,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is 5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**. 6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 4dad48dc9d..1d57288f6f 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -17,10 +17,10 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. +In this topic, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -29,9 +29,9 @@ For the purposes of this guide, we will use one server computer: CM01. This section will show you how to import some network and storage drivers for Windows PE. >[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -58,7 +58,7 @@ On **CM01**: This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement). -For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. +For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. ![Drivers in Windows.](../images/cm01-drivers-windows.png) @@ -81,9 +81,9 @@ On **CM01**: * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w >[!NOTE] - >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify. + >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and click **Next** twice. After the package has been created, click **Close**. >[!NOTE] >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index e925ac8f45..fb7aae6b8e 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -20,16 +20,16 @@ ms.custom: seo-marvel-apr2020 In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - The boot image that is created is based on the version of ADK that is installed. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add DaRT 10 files and prepare to brand the boot image -The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. +The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. -We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. On **CM01**: @@ -42,7 +42,7 @@ On **CM01**: ## Create a boot image for Configuration Manager using the MDT wizard -By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. +By using the MDT wizard to create the boot image in Configuration Manager, you gain more options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. On **CM01**: @@ -65,7 +65,7 @@ On **CM01**: 6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**. 7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. 8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 260b79eadd..f846694f35 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -16,10 +16,10 @@ ms.topic: article - Windows 10 -In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. +In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -93,9 +93,9 @@ On **CM01**: Add an application to the Configuration Manager task sequence >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings: +9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: * Request state storage location to: Restore state from another computer * If computer account fails to connect to state store, use the Network Access account: selected * Options: Continue on error @@ -103,7 +103,7 @@ On **CM01**: * Task Sequence Variable * USMTLOCAL not equals True -10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings: +10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: * Options: Continue on error * Options / Condition: * Task Sequence Variable @@ -113,14 +113,14 @@ On **CM01**: ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: 1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure. +2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. 3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. 4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index caae9de1b6..102b3ae2d6 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: dougeby ms.author: aaroncz @@ -19,8 +20,8 @@ ms.topic: article Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. >[!NOTE] >The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. @@ -29,9 +30,9 @@ For the purposes of this guide, we will use one server computer: CM01. On **CM01**: -1. Create the **D:\Setup** folder if it does not already exist. +1. Create the **D:\Setup** folder if it doesn't already exist. 1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example: +2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: ```powershell Set-Location C:\Users\administrator.CONTOSO\Downloads @@ -64,7 +65,7 @@ On **CM01**: Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties). +11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). 12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 55d9928a01..253e63190e 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +description: In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa manager: dougeby ms.author: aaroncz ms.prod: w10 @@ -16,9 +17,9 @@ ms.collection: highpri - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. -This topic assumes that you have completed the following prerequisite procedures: +This topic assumes that you've completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -27,10 +28,10 @@ This topic assumes that you have completed the following prerequisite procedures - [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) -For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). +For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. - - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. >[!NOTE] @@ -38,7 +39,7 @@ For the purposes of this guide, we will use a minimum of two server computers (D All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This connection isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!NOTE] >No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. @@ -50,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 5. The operating system deployment will take several minutes to complete. -6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following: +6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: * Install the Windows 10 operating system. * Install the Configuration Manager client and the client hotfix. @@ -64,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet. Monitoring the deployment with MDT. -7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. +7. When the deployment is finished you'll have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. Examples are provided below of various stages of deployment: diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 15ccee4085..3984e65a9b 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -19,8 +19,8 @@ ms.custom: seo-marvel-apr2020 This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -45,11 +45,11 @@ On **CM01**: ## Configure the Logs folder -The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. +The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we'll add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: ``` icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' @@ -82,17 +82,17 @@ On **CM01**: 3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box. >[!NOTE] - >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal -In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point. +In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that haven't yet been distributed to the CM01 distribution point. On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. 2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully. +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -100,7 +100,7 @@ On **CM01**: ## Create a deployment for the task sequence -This sections provides steps to help you create a deployment for the task sequence. +This section provides steps to help you create a deployment for the task sequence. On **CM01**: @@ -126,7 +126,7 @@ On **CM01**: ## Configure Configuration Manager to prompt for the computer name during deployment (optional) -You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). +You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more information on how to do this step, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names. diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 840f69546c..785a68cc3d 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -20,7 +20,7 @@ This article walks you through the Zero Touch Installation (ZTI) process of Wind ## Prerequisites -In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: +In this topic, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: - Configuration Manager current branch + all security and critical updates are installed. @@ -32,19 +32,18 @@ In this article, you'll use [components](#components-of-configuration-manager-op - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). - The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. -- The [CMTrace tool](/mem/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. - - > [!NOTE] - > CMTrace is automatically installed with the current branch of Configuration Manager. +- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. + > [!NOTE] + > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr, it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this separate installation is no longer needed. Configuration Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool. For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This configuration isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ### Domain credentials @@ -57,13 +56,13 @@ The following generic credentials are used in this guide. You should replace the ## Create the OU structure >[!NOTE] ->If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +>If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell. -To use Windows PowerShell, copy the following commands into a text file and save it as **C:\Setup\Scripts\ou.ps1**. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension. +To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Ensure that you're viewing file extensions and that you save the file with the .ps1 extension. ```powershell $oulist = Import-csv -Path c:\oulist.txt @@ -123,11 +122,11 @@ On **DC01**: ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://github.com/DeploymentArtist/SWP1/tree/master/Scripts) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. On **DC01**: -1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt: +1. Sign in as contoso\administrator and enter the following commands at an elevated Windows PowerShell prompt: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force @@ -135,7 +134,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted: +2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: * Scope: This object and all descendant objects * Create Computer objects @@ -174,7 +173,7 @@ To support the packages you create in this article, the following folder structu You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We will also create the D:\Logs folder here which will be used later to support server-side logging. +>We'll also create the D:\Logs folder here which will be used later to support server-side logging. ```powershell New-Item -ItemType Directory -Path "D:\Sources" @@ -196,7 +195,7 @@ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE ## Integrate Configuration Manager with MDT -To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. +To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you've already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. On **CM01**: @@ -264,7 +263,7 @@ On **CM01**: Configure the CM01 distribution point for PXE. >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). 4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. @@ -272,7 +271,7 @@ On **CM01**: The distmgr.log displays a successful configuration of PXE on the distribution point. -5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. ![figure 14.](../images/mdt-06-fig15.png) @@ -284,18 +283,17 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre ## Components of Configuration Manager operating system deployment -Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are other components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. +Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. - **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. - **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. - **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. - **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. - **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. - **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). - **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides extra task sequence templates to Configuration Manager. - +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. > [!NOTE] > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. @@ -303,12 +301,17 @@ Operating system deployment with Configuration Manager is part of the normal sof As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. +>[!NOTE] +>MDT installation requires the following: +>- The Windows ADK for Windows 10 (installed in the previous procedure) +>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +>- Microsoft .NET Framework + ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes other instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have a script or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: - - The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. ``` syntax @@ -349,7 +352,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script ### MDT adds real-time monitoring -With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. +With MDT integration, you can follow your deployments in real time, and if you've access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. ![figure 4.](../images/mdt-06-fig04.png) @@ -370,25 +373,18 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: - You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context. This means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. - The Configuration Manager task sequence doesn't suppress user interface interaction. - MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. - MDT Lite Touch doesn't require any infrastructure and is easy to delegate. -## Related articles - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +## Related topics +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 117dedd018..41822baf59 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). +This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: @@ -31,8 +31,8 @@ A computer refresh with Configuration Manager works the same as it does with MDT An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. >[!NOTE] @@ -40,7 +40,7 @@ For the purposes of this article, we will use one server computer (CM01) and one All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -76,7 +76,7 @@ On **CM01**: Use the default settings to complete the remaining wizard pages and click **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. >[!NOTE] >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. @@ -94,7 +94,7 @@ Using the Configuration Manager console, in the Software Library workspace, expa - Make available to the following: Configuration Manager clients, media and PXE >[!NOTE] - >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - <default> diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 242bcd70ee..4d0bcca63b 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +description: In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -17,16 +18,16 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10. +In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10. -In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). +In this topic, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). ## Infrastructure An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. @@ -36,7 +37,7 @@ For the purposes of this article, we will use one server computer (CM01) and two All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -70,15 +71,15 @@ The backup-only task sequence (named Replace Task Sequence). ## Associate the new device with the old computer -This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. +This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. +2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. 3. On the **Select Source** page, select **Import single computer** and click **Next**. 4. On the **Single Computer** page, use the following settings and then click **Next**: @@ -95,14 +96,14 @@ On **CM01**: 7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**. 8. On the **Summary** page, click **Next**, and then click **Close**. 9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not. -11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. +11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: * General * Name: USMT Backup (Replace) @@ -117,7 +118,7 @@ On **CM01**: Use default settings for the remaining wizard pages, then click **Close**. -2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment @@ -145,7 +146,7 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears. >[!NOTE] @@ -161,8 +162,8 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location. +6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. +7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. >[!NOTE] >It may take a few minutes for the user state store location to be populated. @@ -176,7 +177,7 @@ On **PC0006**: * Password: pass@word1 * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following: +2. The setup now starts and does the following steps: * Installs the Windows 10 operating system * Installs the Configuration Manager client @@ -184,7 +185,7 @@ On **PC0006**: * Installs the applications * Restores the PC0004 backup -When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: +When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: ![User data and setting restored example 1.](../images/pc0006a.png)
![User data and setting restored example 2.](../images/pc0006b.png)
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index dd7097e837..5d6a936a26 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -27,28 +27,28 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ## Add an OS upgrade package -Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). +Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it doesn't use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. -3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**. +2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**. 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. 6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence @@ -77,7 +77,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -89,7 +89,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 3300697ddc..ccf4df0e57 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,6 +1,7 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) -description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. +description: In this topic, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. +ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c ms.reviewer: manager: dougeby ms.author: aaroncz @@ -17,9 +18,9 @@ ms.topic: article Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. -Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. +Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. -For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![figure 1.](../images/mdt-10-fig01.png) @@ -29,7 +30,7 @@ Computers used in this topic. ## Replicate deployment shares -Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. +Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. > [!NOTE] > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. @@ -40,7 +41,7 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes ### Why DFS-R is a better option -DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. +DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. ## Set up Distributed File System Replication (DFS-R) for replication @@ -113,7 +114,7 @@ When you have multiple deployment servers sharing the same content, you need to On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. ```ini [Settings] @@ -152,7 +153,7 @@ On **MDT01**: ## Replicate the content - Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. + Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. ### Create the replication group @@ -247,7 +248,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image 2. Computer Name: PC0006 3. Applications: Select the Install - Adobe Reader -4. Setup will now start and perform the following: +4. Setup will now start and perform the following steps: 1. Install the Windows 10 Enterprise operating system. 2. Install applications. 3. Update the operating system using your local Windows Server Update Services (WSUS) server. diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 078bb06ca8..fe96dcd42b 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -12,7 +12,7 @@ ms.topic: article # Configure MDT deployment share rules -In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. +In this topic, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. ## Assign settings @@ -29,7 +29,7 @@ Before adding the more advanced components like scripts, databases, and web serv ### Set computer name by MAC Address -If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. +If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. ``` [Settings] @@ -90,7 +90,7 @@ In the preceding sample, you still configure the rules to set the computer name ### Add laptops to a different organizational unit (OU) in Active Directory -In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read. +In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. ``` [Settings] diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index c4bbe93743..8c0ba8179d 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,6 +1,7 @@ --- title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -12,8 +13,8 @@ ms.topic: article # Configure MDT settings -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). ![figure 1.](../images/mdt-09-fig01.png) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e9d1c48603..1f482f177d 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -15,12 +15,12 @@ ms.topic: article **Applies to** - Windows 10 -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. +Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you 'll have a Windows 10 reference image that can be used in your deployment solution. >[!NOTE] ->See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. +>For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. +For the purposes of this topic, we'll use three computers: DC01, MDT01, and HV01. - DC01 is a domain controller for the contoso.com domain. - MDT01 is a contoso.com domain member server. - HV01 is a Hyper-V server that will be used to build the reference image. @@ -31,22 +31,22 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV ## The reference image -The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following: +The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: - To reduce development time and can use snapshots to test different configurations quickly. -- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related. -- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. +- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. +- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. - The image is easy to move between lab, test, and production. ## Set up the MDT build lab deployment share -With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share On **MDT01**: - Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). -- Start the MDT deployment workbench, and pin this to the taskbar for easy access. +- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: - Deployment share path: **D:\\MDTBuildLab** @@ -70,7 +70,7 @@ In order to read files in the deployment share and write the reference image bac On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -84,7 +84,7 @@ This section will show you how to populate the MDT deployment share with the Win ### Add the Windows 10 installation files -MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. >[!NOTE] >Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. @@ -129,9 +129,9 @@ The steps in this section use a strict naming standard for your MDT applications Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. -By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. +By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. -In example sections, you will add the following applications: +In example sections, you 'll add the following applications: - Install - Microsoft Office 365 Pro Plus - x64 - Install - Microsoft Visual C++ Redistributable 2019 - x86 @@ -146,7 +146,7 @@ Download links: Download all three items in this list to the D:\\Downloads folder on MDT01. -**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). +**Note**: For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). >[!NOTE] >All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. @@ -157,7 +157,9 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. + > [!NOTE] + > 64-bit is now the default and recommended edition. - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages. @@ -173,27 +175,27 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ``` - By using these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. + When you use these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. >[!TIP] >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - Also see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information. + For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: ![folder.](../images/office-folder.png) - Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet. + Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. >[!IMPORTANT] - >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. + >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information -- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. +- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. +- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -201,7 +203,7 @@ If you need to add many applications, you can take advantage of the PowerShell s On **MDT01**: -1. Ensure you are signed in as **contoso\\Administrator**. +1. Ensure you're signed in as **contoso\\Administrator**. 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -213,11 +215,11 @@ On **MDT01**: ### Create the install: Microsoft Office 365 Pro Plus - x64 -In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. +In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -227,7 +229,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -246,11 +248,11 @@ On **MDT01**: >[!NOTE] >We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -260,7 +262,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -275,11 +277,11 @@ On **MDT01**: ### Create the install: Microsoft Visual C++ Redistributable 2019 - x64 -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -291,8 +293,8 @@ On **MDT01**: ## Create the reference image task sequence -In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. -After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. +In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. +After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying. ### Drivers and the reference image @@ -304,18 +306,18 @@ To create a Windows 10 reference image task sequence, the process is as follows On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: 1. Task sequence ID: REFW10X64-001 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image 3. Task sequence comments: Reference Build 4. Template: Standard Client Task Sequence 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Do not specify a product key at this time + 6. Specify Product Key: Don't specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time + 10. Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -338,7 +340,7 @@ On **MDT01**: 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] - >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. ![task sequence.](../images/fig8-cust-tasks.png) @@ -355,7 +357,7 @@ On **MDT01**: ### Optional configuration: Add a suspend action -The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. +The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. ![figure 8.](../images/fig8-suspend.png) @@ -367,20 +369,20 @@ The goal when creating a reference image is of course to automate everything. Bu ### Edit the Unattend.xml file for Windows 10 Enterprise -When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK). +When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). >[!WARNING] ->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. +>Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. >[!NOTE] ->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. -2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. +2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. > [!IMPORTANT] > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: @@ -393,7 +395,8 @@ On **MDT01**: 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - DisableDevTools: true 5. Save the Unattend.xml file, and close Windows SIM. - - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. + > [!NOTE] + > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. ![figure 10.](../images/fig10-unattend.png) @@ -413,7 +416,7 @@ To configure the rules for the MDT Build Lab deployment share: On **MDT01**: 1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: ``` [Settings] @@ -469,7 +472,7 @@ On **MDT01**: ``` >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -486,7 +489,7 @@ On **MDT01**: ### Update the deployment share -After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created. +After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. 1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. @@ -496,9 +499,9 @@ After the deployment share has been configured, it needs to be updated. This is ### The rules explained -Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. +Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. -The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide just enough information for MDT to find the CustomSettings.ini. +The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini. The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). @@ -521,14 +524,14 @@ SkipBDDWelcome=YES ``` So, what are these settings? -- **Priority.** This determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. -- **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. -- **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you. +- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. +- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. +- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. >[!WARNING] >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. -- **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. +- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. >[!NOTE] >All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. @@ -569,20 +572,20 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. +- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. - **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image. +- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image. - **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed. +- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. - **AdminPassword.** Sets the local Administrator account password. - **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. +- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. +- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. - **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. - **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. - **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). @@ -602,9 +605,9 @@ SkipFinalSummary=YES ## Build the Windows 10 reference image -As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. +As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). -Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. +Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. @@ -628,7 +631,7 @@ On **HV01**: 4. Start the REFW10X64-001 virtual machine and connect to it. - **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + **Note**: Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image @@ -640,7 +643,7 @@ On **HV01**: The Windows Deployment Wizard for the Windows 10 reference image. -5. The setup now starts and does the following: +5. The setup now starts and does the following steps: 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added applications, roles, and features. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. @@ -649,7 +652,7 @@ On **HV01**: 6. Captures the installation to a Windows Imaging (WIM) file. 7. Turns off the virtual machine. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ![image.](../images/image-captured.png) @@ -662,9 +665,9 @@ If you [enabled monitoring](#enable-monitoring), you can check the progress of t ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 25eddbf4ef..90deeb5238 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -15,16 +15,16 @@ ms.topic: article **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. +We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this topic, we'll use four computers: DC01, MDT01, HV01 and PC0005. - DC01 is a domain controller - MDT01 is a domain member server - HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 10 +- PC0005 is a blank device to which we'll deploy Windows 10 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. @@ -35,7 +35,7 @@ MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contos ## Step 1: Configure Active Directory permissions -These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. +These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. On **DC01**: @@ -55,7 +55,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` - The following is a list of the permissions being granted: + The following list is of the permissions being granted: - Scope: This object and all descendant objects - Create Computer objects @@ -72,7 +72,7 @@ On **DC01**: ## Step 2: Set up the MDT production deployment share -Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. +Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. ### Create the MDT production deployment share @@ -80,7 +80,7 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: -1. Ensure you are signed on as: contoso\administrator. +1. Ensure you're signed on as: contoso\administrator. 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. @@ -97,7 +97,7 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -107,11 +107,11 @@ On **MDT01**: ## Step 3: Add a custom image -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. +The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components. ### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. +In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. 1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. @@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. @@ -175,12 +175,12 @@ For boot images, you need to have storage and network drivers; for the operating ### Create the driver source structure in the file system -The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. +The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. On **MDT01**: > [!IMPORTANT] -> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. +> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. 1. Using File Explorer, create the **D:\\drivers** folder. 2. In the **D:\\drivers** folder, create the following folder structure: @@ -198,11 +198,11 @@ On **MDT01**: - Surface Laptop > [!NOTE] -> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. +> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. ### Create the logical driver structure in MDT -When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. +When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. 1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 @@ -260,7 +260,7 @@ On **MDT01**: ### Extract and import drivers for the x64 boot image -Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. +Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: @@ -282,7 +282,7 @@ For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retrieve To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). -In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. +In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. On **MDT01**: @@ -292,13 +292,13 @@ On **MDT01**: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** - The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. + The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers. ### For the Latitude E7450 For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). -In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. +In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. On **MDT01**: @@ -312,7 +312,7 @@ On **MDT01**: For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. +In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. On **MDT01**: @@ -324,7 +324,7 @@ On **MDT01**: ### For the Microsoft Surface Laptop -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. On **MDT01**: @@ -336,7 +336,7 @@ On **MDT01**: ## Step 6: Create the deployment task sequence -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. +This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. ### Create a task sequence for Windows 10 Enterprise @@ -350,11 +350,11 @@ On **MDT01**: - Task sequence comments: Production Image - Template: Standard Client Task Sequence - Select OS: Windows 10 Enterprise x64 RTM Custom Image - - Specify Product Key: Do not specify a product key at this time + - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - Internet Explorer home page: `https://www.contoso.com` - - Admin Password: Do not specify an Administrator Password at this time + - Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -372,7 +372,7 @@ On **MDT01**: - Install all drivers from the selection profile > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. @@ -386,7 +386,7 @@ On **MDT01**: ## Step 7: Configure the MDT production deployment share -In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work. +In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work. ### Configure the rules @@ -460,7 +460,7 @@ On **MDT01**: > [!NOTE] > - > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. @@ -488,13 +488,13 @@ On **MDT01**: ### The rules explained -The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. +The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. ### The Bootstrap.ini file -This is the MDT Production Bootstrap.ini: +This file is the MDT Production Bootstrap.ini: ``` [Settings] @@ -510,7 +510,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file -This is the CustomSettings.ini file with the new join domain information: +This file is the CustomSettings.ini file with the new join domain information: ``` [Settings] @@ -557,7 +557,7 @@ Some properties to use in the MDT Production rules file are as follows: - **DomainAdminPassword.** The password for the join domain account. - **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. - **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore). +- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). - **EventService.** Activates logging information to the MDT monitoring web service. > [!NOTE] @@ -568,11 +568,11 @@ Some properties to use in the MDT Production rules file are as follows: ### Optional deployment share configuration -If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself. +If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself. ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: +If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: > [!NOTE] @@ -608,7 +608,7 @@ On **MDT01**: ### Update the deployment share -Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. +Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -639,7 +639,7 @@ On **MDT01**: ### Deploy the Windows 10 client -At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: +At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: On **HV01**: @@ -665,7 +665,7 @@ On **HV01**: - Computer Name: **PC0005** - Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following: +4. Setup now begins and does the following steps: - Installs the Windows 10 Enterprise operating system. - Installs the added application. @@ -681,7 +681,7 @@ Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed auto ### Use the MDT monitoring feature -Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. +Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. On **MDT01**: @@ -705,12 +705,11 @@ The Event Viewer showing a successful deployment of PC0005. ## Multicast deployments -Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast. +Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast. ### Requirements -Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that -Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. +Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. ### Set up MDT for multicast @@ -729,9 +728,9 @@ On **MDT01**: ## Use offline media to deploy Windows 10 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. -Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. +Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. ### Create the offline media selection profile @@ -762,7 +761,7 @@ In these steps, you generate offline media from the MDT Production deployment sh 1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. >[!NOTE] - >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. + >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. @@ -798,7 +797,7 @@ On **MDT01**: ### Generate the offline media -You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. +You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. On **MDT01**: @@ -808,7 +807,7 @@ On **MDT01**: ### Create a bootable USB stick -The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) +The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] >In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. @@ -821,7 +820,7 @@ Follow these steps to create a bootable USB stick from the offline media content 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. +4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). @@ -829,7 +828,7 @@ Follow these steps to create a bootable USB stick from the offline media content ## Unified Extensible Firmware Interface (UEFI)-based deployments -As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. +As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you've an UEFI-based machine and creates the partitions UEFI requires. You don't need to update or change your task sequences in any way to accommodate UEFI. ![figure 14.](../images/mdt-07-fig16.png) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index d5a9a7653a..9667f4a047 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -21,23 +21,23 @@ This article provides an overview of the features, components, and capabilities MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. -In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. +In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). +MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). > [!IMPORTANT] > For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-). ## Key features in MDT -MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. +MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: - **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. - **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. -- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. +- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. - **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI. +- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. - **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. ![figure 2.](../images/mdt-05-fig02.png) @@ -48,7 +48,7 @@ MDT has many useful features, such as: - **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). - **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. - **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. - **Monitoring.** Allows you to see the status of currently running deployments. - **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). - **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. @@ -65,21 +65,21 @@ MDT has many useful features, such as: - **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. - **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components -Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. +When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click **View Script**. You're provided the PowerShell command. ![figure 4.](../images/mdt-05-fig04.png) -If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. +If you click **View Script** on the right side, you'll get the PowerShell code that was used to perform the task. ## Deployment shares -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get more settings for the deployment. For Lite Touch deployments, it's common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it's common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. ## Rules @@ -92,7 +92,7 @@ You can manage hundreds of settings in the rules. For more information, see the ![figure 5.](../images/mdt-05-fig05.png) -Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number +Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number ## Boot images @@ -101,7 +101,7 @@ share on the server and start the deployment. ## Operating systems -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. ## Applications @@ -113,7 +113,7 @@ You also use the Deployment Workbench to import the drivers your hardware needs ## Packages -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those packages. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that aren't available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. ## Task sequences @@ -128,17 +128,18 @@ You can think of a task sequence as a list of actions that need to be executed i ## Task sequence templates -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. - **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. + > [!NOTE] + > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. - **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. - **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. - **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. - **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. - **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. - **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. @@ -161,7 +162,7 @@ The easiest way to view log files is to use Configuration Manager Trace (CMTrace ## Monitoring -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. +On the deployment share, you also can enable monitoring. After you enable monitoring, you'll see all running deployments in the Monitor node in the Deployment Workbench. ## See next diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ad872a2c86..72ef0f8a71 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -7,7 +7,11 @@ href: waas-delivery-optimization.md - name: What's new href: whats-new-do.md + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + + - name: Configure Delivery Optimization items: - name: Configure Windows Clients @@ -15,7 +19,7 @@ - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - name: Windows Delivery Optimization Frequently Asked Questions - href: ../update/waas-delivery-optimization-faq.md + href: ../do/waas-delivery-optimization-faq.yml - name: Configure Microsoft Endpoint Manager items: - name: Delivery Optimization settings in Microsoft Intune diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index da591eeadd..984e7fd026 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -33,5 +33,5 @@ This article lists the endpoints that need to be allowed through the firewall to | *.statics.teams.cdn.office.net | HTTP / 80
HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point | | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point | | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point | -| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../update/waas-delivery-optimization-faq.md#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | +| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
MQTT / 8883
HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index a2db6aedca..85d6ee2703 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -49,7 +49,7 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: ../update/waas-delivery-optimization-faq.md + url: ../do/waas-delivery-optimization-faq.yml - text: Submit feedback url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332 diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml new file mode 100644 index 0000000000..0fe613a87a --- /dev/null +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -0,0 +1,108 @@ +### YamlMime:FAQ +metadata: + title: Delivery Optimization Frequently Asked Questions + description: The following is a list of frequently asked questions for Delivery Optimization. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: aaroncz + ms.prod: m365-security + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: carmenf + ms.author: carmenf + manager: dougeby + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 08/04/2022 + ms.custom: seo-marvel-apr2020 +title: Delivery Optimization Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + + +sections: + - name: Ignored + questions: + - question: Does Delivery Optimization work with WSUS? + answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + + - question: Which ports does Delivery Optimization use? + answer: | + Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + + - question: What are the requirements if I use a proxy? + answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + + - question: What hostnames should I allow through my firewall to support Delivery Optimization? + answer: | + **For communication between clients and the Delivery Optimization cloud service**: + + - `*.do.dsp.mp.microsoft.com` + + **For Delivery Optimization metadata**: + + - `*.dl.delivery.mp.microsoft.com` + - `*.emdl.ws.microsoft.com` + + **For the payloads (optional)**: + + - `*.download.windowsupdate.com` + - `*.windowsupdate.com` + + **For group peers across multiple NATs (Teredo)**: + + - `win1910.ipv6.microsoft.com` + + For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + + - question: Does Delivery Optimization use multicast? + answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + + - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + + - question: How does Delivery Optimization handle VPNs? + answer: | + Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + + If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + + With split tunneling, make sure to allow direct access to these endpoints: + + Delivery Optimization service endpoint: + + - `https://*.prod.do.dsp.mp.microsoft.com` + + Delivery Optimization metadata: + + - `http://emdl.ws.microsoft.com` + - `http://*.dl.delivery.mp.microsoft.com` + + Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + + - `http://*.windowsupdate.com` + - `https://*.delivery.mp.microsoft.com` + - `https://*.update.microsoft.com` + - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + + For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + + - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + answer: | + Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + + > [!NOTE] + > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + diff --git a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md new file mode 100644 index 0000000000..b0aeb4c8a1 --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md @@ -0,0 +1,43 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/10/2022 +ms.localizationpriority: medium +--- + + +In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: + +1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + 1. Under **View diagnostic data**, select **On** for the following option: + + - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** + - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** + +1. Select **Open Diagnostic Data Viewer**. + - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. + - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. + +1. Check for software updates on the client device. + - Windows 11: + 1. Go to **Start**, select **Settings** > **Windows Update**. + 1. Select **Check for updates** then wait for the update check to complete. + - Windows 10: + 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. + 1. Select **Check for updates** then wait for the update check to complete. + +1. Run the **Diagnostic Data Viewer**. + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. +1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: + - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](../update-compliance-v2-enable.md#bkmk_id) of your Log Analytics workspace for Update Compliance. + - The **MSP** field value under **protocol** should be either `16` or `18`. + - If you need to send this data to Microsoft Support, select **Export data**. + + :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="../media/update-compliance-diagnostic-data-viewer.png" lightbox="../media/update-compliance-diagnostic-data-viewer.png"::: + diff --git a/windows/deployment/update/media/33771278-overall-security-update-status.png b/windows/deployment/update/media/33771278-overall-security-update-status.png new file mode 100644 index 0000000000..49d634956c Binary files /dev/null and b/windows/deployment/update/media/33771278-overall-security-update-status.png differ diff --git a/windows/deployment/update/media/33771278-update-compliance-feedback.png b/windows/deployment/update/media/33771278-update-compliance-feedback.png new file mode 100644 index 0000000000..bab180d192 Binary files /dev/null and b/windows/deployment/update/media/33771278-update-compliance-feedback.png differ diff --git a/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png b/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png new file mode 100644 index 0000000000..bf5f0272ac Binary files /dev/null and b/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png differ diff --git a/windows/deployment/update/media/33771278-update-deployment-status-table.png b/windows/deployment/update/media/33771278-update-deployment-status-table.png new file mode 100644 index 0000000000..4ee85fcc56 Binary files /dev/null and b/windows/deployment/update/media/33771278-update-deployment-status-table.png differ diff --git a/windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png b/windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png new file mode 100644 index 0000000000..7f1dddf600 Binary files /dev/null and b/windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png differ diff --git a/windows/deployment/update/media/docs-feedback.png b/windows/deployment/update/media/docs-feedback.png new file mode 100644 index 0000000000..2c6afbc101 Binary files /dev/null and b/windows/deployment/update/media/docs-feedback.png differ diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md index aafe9ff807..7e9fd6a12b 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-script.md +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -49,36 +49,8 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru ## Verify device configuration -In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: - -1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **On** for the following option: - - - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** - - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** - -1. Select **Open Diagnostic Data Viewer**. - - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. - - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. - -1. Check for software updates on the client device. - - Windows 11: - 1. Go to **Start**, select **Settings** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - - Windows 10: - 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - -1. Run the **Diagnostic Data Viewer**. - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. -1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: - - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-v2-enable.md#bkmk_id) of your Log Analytics workspace for Update Compliance. - - The **MSP** field value under **protocol** should be either `16` or `18`. - - If you need to send this data to Microsoft Support, select **Export data**. - - :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png"::: + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)] ## Script errors diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md new file mode 100644 index 0000000000..25e1dff44a --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -0,0 +1,109 @@ +--- +title: Update Compliance (preview) feedback, support, and troubleshooting +ms.reviewer: +manager: dougeby +description: Update Compliance (preview) support information. +ms.prod: w10 +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 08/10/2022 +--- + +# Update Compliance (preview) feedback, support, and troubleshooting + + +***(Applies to: Windows 11 & Windows 10)*** + +> [!IMPORTANT] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +There are several resources that you can use to find help with Update Compliance. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Update Compliance: + +- Send [product feedback about Update Compliance](#send-product-feedback) +- Open a [Microsoft support case](#open-a-microsoft-support-case) + +- [Documentation feedback](#documentation-feedback) +- [Troubleshooting tips](#troubleshooting-tips) for Update Compliance +- Follow the [Windows IT Pro blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) to learn about upcoming changes to Update Compliance +- Use Microsoft Q&A to [ask product questions](/answers/products/) + +## Send product feedback + +Use the product feedback option to offer suggestions for new features and functionality, or for suggesting changes to the current Update Compliance features. You can share feedback directly to the Update Compliance product group. To provide product feedback: + +1. In the upper right corner of the Azure portal, select the feedback icon. +1. Select either the smile or the frown to rate your satisfaction with your experience. +1. In the text box, describe what you did or didn't like. When providing feedback about a problem, be sure to include enough detail in your description so it can be properly identified by the product group. +1. Choose if you'd like to allow Microsoft to email you about your feedback. +1. Select **Submit feedback** when you've completed the feedback form. +:::image type="content" source="media/33771278-update-compliance-feedback.png" alt-text="Screenshot of the Azure portal showing the product feedback option flyout." lightbox="media/33771278-update-compliance-feedback.png"::: + +## Open a Microsoft support case + +You can open support requests directly from the Azure portal. If the **Help + Support** page doesn't display, verify you have access to open support requests. For more information about role-based access controls for support requests, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). To create a new support request for Update Compliance: + +1. Open the **Help + Support** page from the following locations: + - In the [Send product feedback](#send-product-feedback) flyout, select the **contact support** link. + - From the Azure portal, select **New support request** under the **Support + Troubleshooting** heading. +1. Select **Create a support request** which opens the new support request page. +1. On the **Problem description** tab, provide information about the issue. The below items in ***bold italics*** should be used to help ensure an Update Compliance engineer receives your support request: + - **Summary** - Brief description of the issue + - **Issue type** - ***Technical*** + - **Subscription** - Select the subscription used for Update Compliance + - **Service** - ***My services*** + - **Service type** - ***Log Analytics*** + - **Problem type** - ***Solutions or Insights*** + - **Problem subtype** - ***Update Compliance*** +1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem. +1. Complete the **Additional details** tab and then create the request on the **Review + create** tab. + +## Documentation feedback + +Select the **Feedback** link in the upper right of any article to go to the Feedback section at the bottom. Feedback is integrated with GitHub Issues. For more information about this integration with GitHub Issues, see the [docs platform blog post](/teamblog/a-new-feedback-system-is-coming-to-docs). + +:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section on a docs article."::: + +To share docs feedback about the current article, select **This page**. A [GitHub account](https://github.com/join) is a prerequisite for providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body, but don't modify the document details section. Then select **Submit new issue** to file a new issue for the target article in the [Windows-ITPro-docs GitHub repository](https://github.com/MicrosoftDocs/windows-itpro-docs/issues). + +To see whether there's already feedback for this article, select **View all page feedback**. This action opens a GitHub issue query for this article. By default it displays both open and closed issues. Review any existing feedback before you submit a new issue. If you find a related issue, select the face icon to add a reaction, add a comment to the thread, or **Subscribe** to receive notifications. + +Use GitHub Issues to submit the following types of feedback: + +- Doc bug: The content is out of date, unclear, confusing, or broken. +- Doc enhancement: A suggestion to improve the article. +- Doc question: You need help with finding existing documentation. +- Doc idea: A suggestion for a new article. +- Kudos: Positive feedback about a helpful or informative article. +- Localization: Feedback about content translation. +- Search engine optimization (SEO): Feedback about problems searching for content. Include the search engine, keywords, and target article in the comments. + +If you create an issue for something not related to documentation, Microsoft will close the issue and redirect you to a better feedback channel. For example: + +- [Product feedback](#send-product-feedback) for Update Compliance +- [Product questions (using Microsoft Q&A)](/answers/products/) +- [Support requests](#open-a-microsoft-support-case) for Update Compliance + +To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. + +## Troubleshooting tips + +Use the troubleshooting tips below to resolve commonly encountered problems when using Update Compliance: + +### Verify client configuration + + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)] + +### Ensuring devices are configured correctly to send data + +The first step in troubleshooting Update Compliance is ensuring that devices are configured. Review [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md) for the settings. We recommend using the [Update Compliance configuration script](update-compliance-v2-configuration-script.md) for troubleshooting and configuring devices. + +### Devices have been correctly configured but aren't showing up in Update Compliance + +It takes some time for data to appear in Update Compliance for the first time or if you moved to a new Log Analytics workspace. To learn more about data latencies for Update Compliance, review [Update Compliance data latency](update-compliance-v2-use.md#update-compliance-data-latency). + +### Devices are appearing, but without a device name + +Device Name is an opt-in via policy starting in Windows 10 version 1803. Review the required policies for enabling device name in the [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md) article. diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index dcd9c0e7c9..e4d165eb8c 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -8,7 +8,7 @@ author: mestew ms.author: mstewart ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 08/09/2022 --- # Update Compliance overview @@ -34,7 +34,8 @@ The new version of Update Compliance is in technical preview. Some of the benefi Currently, the technical preview contains the following features: -- Access to the following new Update Compliance tables: +- [Update Compliance workbook](update-compliance-v2-workbook.md) +- Access to the following new [Update Compliance tables](update-compliance-v2-schema.md): - UCClient - UCClientReadinessStatus - UCClientUpdateStatus @@ -43,6 +44,8 @@ Currently, the technical preview contains the following features: - UCUpdateAlert - Client data collection to populate the new Update Compliance tables +Currently, these new tables are available to all Updates Compliance users. They will be displayed along with the original Updates Compliance tables. + :::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png"::: > [!IMPORTANT] @@ -69,6 +72,8 @@ Since the data from your clients is stored in a Log Analytics workspace, you can - [Power BI](/azure/azure-monitor/logs/log-powerbi) - Other tools for [querying the data](/azure/azure-monitor/logs/log-query-overview) + + ## Next steps - Review the [Update Compliance prerequisites](update-compliance-v2-prerequisites.md) diff --git a/windows/deployment/update/update-compliance-v2-workbook.md b/windows/deployment/update/update-compliance-v2-workbook.md new file mode 100644 index 0000000000..da0c935974 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-workbook.md @@ -0,0 +1,148 @@ +--- +title: Use the workbook for Update Compliance (preview) +ms.reviewer: +manager: dougeby +description: How to use the Update Compliance (preview) workbook. +ms.prod: w10 +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 08/10/2022 +--- + +# Update Compliance (preview) workbook + +***(Applies to: Windows 11 & Windows 10)*** + +> [!IMPORTANT] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +[Update Compliance](update-compliance-v2-overview.md) presents information commonly needed by updates administrators in an easy to use format. Update Compliance uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into three tab sections: + +- [Summary](#summary-tab) +- [Quality updates](#quality-updates-tab) +- [Feature updates](#feature-updates-tab) + +:::image type="content" source="media/33771278-update-compliance-workbook-summary.png" alt-text="Screenshot of the summary tab in the Update Compliance workbook with the three tabbed sections outlined in red." lightbox="media/33771278-update-compliance-workbook-summary.png"::: + +## Open the Update Compliance workbook + +To access the Update Compliance workbook: + +1. In the [Azure portal](https://portal.azure.com), select **Monitor** > **Workbooks** from the menu bar. + - You can also type **Monitor** in the search bar. As you begin typing, the list filters based on your input. + +1. When the gallery opens, select the **Update Compliance** workbook. If needed, you can filter workbooks by name in the gallery. +1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Update Compliance](update-compliance-v2-enable.md). + +## Summary tab + +The **Summary** tab gives you a brief high-level overview of the devices that you've enrolled into Update Compliance. The **Summary** tab contains tiles above the **Overall security update status** chart. + +### Summary tab tiles + +Each of these tiles contains an option to **View details**. When **View details** is selected for a tile, a flyout appears with additional information. + +:::image type="content" source="media/33771278-workbook-summary-tab-tiles.png" alt-text="Screenshot of the summary tab tiles in the Update Compliance workbook"::: + +| Tile name | Description | View details description | +|---|---|------| +| **Enrolled devices** | Total number of devices that are enrolled into Update Compliance | Displays multiple charts about the operating systems (OS) for enrolled devices:
**OS Version**
**OS Edition**
**OS Servicing Channel**
**OS Architecture**| +|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each.

Select the count of **Devices** to display a table of the devices. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).

Select an **AlertSubtype** to display a list containing:
- Each **Error Code** in the alert subtype
- A **Description** of the error code
- A **Recommendation** to help you remediate the error code
- A count of **Devices** with the specific error code | +| **Windows 11 eligibility** | Percentage of devices that are capable of running Windows 11 | Displays the following items:
- **Windows 11 Readiness Status** chart
- **Readiness Reason(s) Breakdown** chart that displays Windows 11 requirements that aren't met.
- A table for **Readiness reason**. Select a reason to display a list of devices that don't meet a specific requirement for Windows 11. | + +### Summary tab charts + +The charts displayed in the **Summary** tab give you a general idea of the overall status of your devices. The two charts displayed include: + +- **Overall security update status**: Gives you general insight into of the current update compliance state of your enrolled devices. For instance, if the chart shows a large number of devices are missing multiple security updates, it may indicate an issue in the software update process. + +- **Feature update status**: Gives you a general understanding of how many devices are eligible for feature updates based on the operating system lifecycle. + +:::image type="content" source="media/33771278-overall-security-update-status.png" alt-text="Screenshot of the charts in the workbook's summary tab" lightbox="media/33771278-overall-security-update-status.png"::: + +## Quality updates tab + +The **Quality updates** tab displays generalized data at the top by using tiles. The quality update data becomes more specific as you navigate lower in this tab. The top of the **Quality updates** tab contains tiles with the following information: + +- **Devices count**: Count of devices that have reported at least one security update is or was applicable and offered in the past 30 days, regardless of installation state of the update. +- **Latest security update**: Count of devices that have installed the latest security update. +- **Security update status**: Count of devices that haven't installed a security update released within the last 60 days. +- **Total alerts**: Count of active alerts that are for quality updates. + +Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end-users are impacted. + +### Update status group for quality updates + +The **Update status** group for quality updates contains the following items: + +- **Update states for all security releases**: Chart containing the number of devices in a specific state, such as installing, for security updates. +- **Update states for the latest security releases**: Chart containing the number of devices in a specific state for the most recent security update. +- **Update alerts for all security releases**: Chart containing the count of active errors and warnings for security updates. + +:::image type="content" source="media/33771278-update-deployment-status-table.png" alt-text="Screenshot of the charts and table in the workbook's quality updates tab" lightbox="media/33771278-update-deployment-status-table.png"::: + +The **Update deployment status** table displays the quality updates for each operating system version that were released within the last 60 days. For each update, drill-in further by selecting a value from the following columns: + +| Column name | Description | Drill-in description | +|---|---|---| +|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. +| **KB Number** | KB number for the update | Selecting the KB number will open the support information webpage for the update.| +| **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | + +### Device status group for quality updates + +The **Device status** group for quality updates contains the following items: + +- **OS build number**: Chart containing a count of devices by OS build that are getting security updates. +- **Target version**: Chart containing how many devices by operating system version that are getting security updates. +- **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Feature updates tab + +The **Feature updates** tab displays generalized data at the top by using tiles. The feature update data becomes more specific as you navigate lower in this tab. The top of the **Feature updates** tab contains tiles with the following information: + +- **Devices count**: Count of devices that have reported a feature update is or was applicable and offered in the past 30 days, regardless of installation state of the update. +- **Feature update status**: Count of the devices that installed a feature update in the past 30 days. +- **End Of Service**: Count of devices running an operating system version that no longer receives feature updates. For more information, see the [Windows lifecycle FAQ](/lifecycle/faq/windows). +- **Nearing EOS** Count of devices that are within 18 months of their end of service date. +- **Total alerts**: Count of active alerts that are for feature updates. + +Just like the [**Quality updates** tab](#quality-updates-tab), the **Feature updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. + +### Update status group for feature updates + +The **Update status** group for feature updates contains the following items: + +- **Target version**: Chart containing count of devices per targeted operating system version. +- **Safeguard holds**: Chart containing count of devices per operating system version that are under a safeguard hold for a feature update +- **Update alerts**: Chart containing the count of active errors and warnings for feature updates. + +**Update deployment status** table for feature updates displays the installation status by targeted operating system version. For each operating system version targeted the following columns are available: + +| Column name | Description | Drill-in description | +|---|---|---| +| **Total progress** | Percentage of devices that installed the targeted operating system version feature update within the last 30 days. | A bar graph is included in this column. Use the **Total devices** drill-in for additional information. | +|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. | +| **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | + +### Device status group for feature updates + +The **Device status** group for feature updates contains the following items: + +- **Windows 11 readiness status**: Chart containing how many devices that have a status of capable, not capable, or unknown for Windows 11 readiness. +- **Device alerts**: Count of active alerts for feature updates in each alert classification. +- **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Customize the workbook + +Since the Update Compliance workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started). + + +## Next steps + +- Explore the [Update Compliance (preview) schema](update-compliance-v2-schema.md) +- Review [Feedback, support, and troubleshooting](update-compliance-v2-help.md) information for Update Compliance diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..b56c8a8916 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -35,7 +35,7 @@ - name: Operate href: operate/index.md items: - - name: Update management + - name: Software update management href: operate/windows-autopatch-update-management.md items: - name: Windows updates @@ -79,6 +79,8 @@ href: operate/windows-autopatch-wqu-unsupported-policies.md - name: Microsoft 365 Apps for enterprise update policies href: references/windows-autopatch-microsoft-365-policies.md + - name: Changes made at tenant enrollment + href: references/windows-autopatch-changes-to-tenant.md - name: Privacy href: references/windows-autopatch-privacy.md - name: Windows Autopatch preview addendum diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 649f4f674b..61a5e35dfe 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/04/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -18,7 +18,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: +Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Windows feature updates](../operate/windows-autopatch-fu-overview.md) @@ -31,7 +31,7 @@ Windows Autopatch can take over software update management of supported devices You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] -> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. +> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. #### Supported scenarios when nesting other Azure AD groups @@ -48,9 +48,6 @@ Azure AD groups synced up from: > [!IMPORTANT] > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. -> [!TIP] -> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. - ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid). @@ -66,7 +63,7 @@ It's recommended to detect and clean up stale devices in Azure AD before registe To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: -- Windows 10 (1809+)/11 Enterprise and Professional edition versions (only x64 architecture). +- Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). @@ -105,33 +102,39 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role ## Details about the device registration process -Registering your devices in Windows Autopatch does the following: +Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices into the deployment ring groups and other groups required for software updates management. +2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management. + +For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group to be registered with Windows Autopatch. +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). +Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. -**To register physical devices into Windows Autopatch:** +**To register devices with Windows Autopatch:** 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Windows Autopatch** from the left navigation menu. 3. Select **Devices**. -4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. -5. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. +4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. -Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service. +Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. + +> [!TIP] +> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. ### Windows Autopatch on Windows 365 Enterprise Workloads -With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. +Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. -**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:** +**To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:** 1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 1. In the left pane, select **Devices**. @@ -144,12 +147,7 @@ With Windows 365 Enterprise, IT admins are given the option to register devices 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. -For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). - -#### Deploy Autopatch on Windows 365 for existing Cloud PC - -All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method for any other physical or virtual device. See [steps to register devices](#steps-to-register-devices) for more details. - +For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). ### Contact support for device registration-related incidents Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 8f286647f4..ddefb5977c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -88,7 +88,7 @@ Since quality updates are bundled together into a single release in the [Monthly A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. -However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type. +However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. ## Incidents and outages diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 7ff238e112..36f12e46cd 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -33,14 +33,14 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). | -| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We will not delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | +| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | ## Your responsibilities after unenrolling your tenant | Responsibility | Description | | ----- | ----- | | Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | -| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. | +| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | | Windows Autopatch cloud service accounts | After unenrollment, you may safely remove the cloud service accounts created during the enrollment process. The accounts are:
  • MsAdmin
  • MsAdminInt
  • MsTest
| | Conditional access policy | After unenrollment, you may safely remove the **Modern Workplace – Secure Workstation** conditional access policy. | | Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 04bdc38aae..983a41a940 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -1,7 +1,7 @@ --- -title: Update management +title: Software update management description: This article provides an overview of how updates are handled in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: overview @@ -9,16 +9,16 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- -# Update management +# Software update management -Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates. +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. -## Update types +## Software update workloads -| Update type | Description | +| Software update workload | Description | | ----- | ----- | | Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | | Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md). @@ -27,44 +27,73 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut | Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | | Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | -## Update rings +## Windows Autopatch deployment rings + +During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: + +| Ring | Description | +| ----- | ----- | +| **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.| +| **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.| +| **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. | +| **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. | + +Each deployment ring has a different set of update deployment policies to control the updates rollout. + +> [!IMPORTANT] +> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. + +Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] -> Update rings only apply to Windows quality updates. +> Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. -During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings: +### Deployment ring calculation logic -1. Modern Workplace Devices - Test -2. Modern Workplace Devices - First -3. Modern Workplace Devices - Fast -4. Modern Workplace Devices - Broad +The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows: -Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area. +- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. +- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. -When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release. -> [!NOTE] -> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch. - -| Ring | Default device count | Description +| Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
  • 0–500 devices: minimum one device
  • 500–5000 devices: minimum five devices
  • 5000+ devices: min 50 devices
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | -| First | 1% | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| -| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| -| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| -## Moving devices between rings +## Moving devices in between deployment rings -If you want to move separate devices to different rings, repeat the following steps for each device: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab. + +**To move devices in between deployment rings:** 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. -3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. 5. Select **Assign device to ring**. A fly-in opens. -6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. +6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. -When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. +When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. > [!NOTE] -> You can't move devices to other rings if they're in the "error" or "pending" registration state.

If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). +> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: + +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). + +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). | +| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.| + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index e58e36cbfd..c7c96c2575 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -37,7 +37,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates: +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: | Policy | Description | | ----- | ----- | @@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s > [!IMPORTANT] > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). -Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings). +Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 29d2234dde..54b36ea6ce 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: w11 ms.topic: faq - ms.date: 07/06/2022 + ms.date: 08/08/2022 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -96,9 +96,9 @@ sections: - question: Can you customize the scheduling of an update rollout to only install on certain days and times? answer: | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? + - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 99940fe13f..7ff9f212c0 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -99,6 +99,9 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s Once these actions are complete, you've now successfully enrolled your tenant. +> [!NOTE] +> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + ### Delete data collected from the Readiness assessment tool You can choose to delete the data we collect directly within the Readiness assessment tool. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md new file mode 100644 index 0000000000..62a9d46a41 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -0,0 +1,161 @@ +--- +title: Changes made at tenant enrollment +description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch +ms.date: 08/08/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Changes made at tenant enrollment + +## Service principal + +Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: + +- Modern Workplace Customer APIs + +## Azure Active Directory groups + +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts. + +| Group name | Description | +| ----- | ----- | +| Modern Workplace-All | All Modern Workplace users | +| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | +| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

Group Rule:

  • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
  • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

Exclusions:
  • Modern Workplace - Telemetry Settings for Windows 11
| +| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

Group Rule:

  • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
  • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

Exclusions:
  • Modern Workplace - Telemetry Settings for Windows 10
| +| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | +| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role | +| Modern Workplace Service - Intune Admin All | Group for Intune Admins

Assigned to:

  • Modern Workplace Service Accounts
| +| Modern Workplace Service - Intune Reader All | Group for Intune readers

Assigned to:

  • Modern Workplace Service Accounts
| +| Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users

Assigned to:

  • Modern Workplace Service Accounts
| +| Modern Workplace Service Accounts | Group for Windows Autopatch service accounts | +| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch | + +## Windows Autopatch enterprise applications + +Enterprise applications are applications (software) that a business uses to do its work. + +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. + +| Enterprise application name | Usage | Permissions | +| ----- | ------ | ----- | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.Read.Write.All
| + +> [!NOTE] +> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. + +## Windows Autopatch cloud service accounts + +Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls. + +> [!NOTE] +> Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition. + +| Cloud service account name | Usage | Mitigating controls | +| ----- | ----- | ------ | +| MsAdmin@tenantDomain.onmicrosoft.com |
  • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.
  • This account doesn't have interactive sign-in permissions.  The account performs operations only through the service.
| Audited sign-ins | +| MsAdminInt@tenantDomain.onmicrosoft.com |
  • This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.
  • This account is used for interactive sign-in to the customers’ tenant.
  • The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).
    • |
    • Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.
    • Audited sign-ins
    | +| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | + +## Device configuration policies + +- Modern Workplace - Set MDM to Win Over GPO +- Modern Workplace - Telemetry Settings for Windows 10 +- Modern Workplace - Telemetry Settings for Windows 11 +- Modern Workplace-Window Update Detection Frequency +- Modern Workplace - Data Collection + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | | | +| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 | +| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
    • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
    |
    • 3
    • 1
    • 1
    • 1
      • | +| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | +| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | | | + +## Update rings for Windows 10 and later + +- Modern Workplace Update Policy [Test]-[Windows Autopatch] +- Modern Workplace Update Policy [First]-[Windows Autopatch] +- Modern Workplace Update Policy [Fast]-[Windows Autopatch] +- Modern Workplace Update Policy [Broad]-[Windows Autopatch] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      |
      • QualityUpdatesDeferralPeriodInDays
      • FeatureUpdatesDeferralPeriodInDays
      • FeatureUpdatesRollbackWindowInDays
      • BusinessReadyUpdatesOnly
      • AutomaticUpdateMode
      • InstallTime
      • DeadlineForFeatureUpdatesInDays
      • DeadlineForQualityUpdatesInDays
      • DeadlineGracePeriodInDays
      • PostponeRebootUntilAfterDeadline
      • DriversExcluded
      |
      • 0
      • 0
      • 30
      • All
      • WindowsDefault
      • 3
      • 5
      • 0
      • 0
      • False
      • False
        • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-First
        |
        • QualityUpdatesDeferralPeriodInDays
        • FeatureUpdatesDeferralPeriodInDays
        • FeatureUpdatesRollbackWindowInDays
        • BusinessReadyUpdatesOnly
        • AutomaticUpdateMode
        • InstallTime
        • DeadlineForFeatureUpdatesInDays
        • DeadlineForQualityUpdatesInDays
        • DeadlineGracePeriodInDays
        • PostponeRebootUntilAfterDeadline
        • DriversExcluded
        |
        • 1
        • 0
        • 30
        • All
        • WindowsDefault
        • 3
        • 5
        • 2
        • 2
        • False
        • False
          • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Fast
          |
          • QualityUpdatesDeferralPeriodInDays
          • FeatureUpdatesDeferralPeriodInDays
          • FeatureUpdatesRollbackWindowInDays
          • BusinessReadyUpdatesOnly
          • AutomaticUpdateMode
          • InstallTime
          • DeadlineForFeatureUpdatesInDays
          • DeadlineForQualityUpdatesInDays
          • DeadlineGracePeriodInDays
          • PostponeRebootUntilAfterDeadline
          • DriversExcluded
          |
          • 6
          • 0
          • 30
          • All
          • WindowsDefault
          • 3
          • 5
          • 2
          • 2
          • False
          • False
            • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Broad
            |
            • QualityUpdatesDeferralPeriodInDays
            • FeatureUpdatesDeferralPeriodInDays
            • FeatureUpdatesRollbackWindowInDays
            • BusinessReadyUpdatesOnly
            • AutomaticUpdateMode
            • InstallTime
            • DeadlineForFeatureUpdatesInDays
            • DeadlineForQualityUpdatesInDays
            • DeadlineGracePeriodInDays
            • PostponeRebootUntilAfterDeadline
            • DriversExcluded
            |
            • 9
            • 0
            • 30
            • All
            • WindowsDefault
            • 3
            • 5
            • 5
            • 2
            • False
            • False
              • | + +## Feature update policies + +- Modern Workplace DSS Policy [Test] +- Modern Workplace DSS Policy [First] +- Modern Workplace DSS Policy [Fast] +- Modern Workplace DSS Policy [Broad] +- Modern Workplace DSS Policy [Windows 11] + +| Policy name | Policy description | Value | +| ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
              • Modern Workplace Devices-Windows Autopatch-Test

              Exclude from:
              • Modern Workplace - Windows 11 Pre-Release Test Devices
              | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
              • Modern Workplace Devices-Windows Autopatch-First
              • Modern Workplace - Windows 11 Pre-Release Test Devices
                • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Fast

                Exclude from:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Broad

                Exclude from:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | + +## Microsoft Office update policies + +- Modern Workplace - Office ADMX Deployment +- Modern Workplace - Office Configuration v5 +- Modern Workplace - Office Update Configuration [Test] +- Modern Workplace - Office Update Configuration [First] +- Modern Workplace - Office Update Configuration [Fast] +- Modern Workplace - Office Update Configuration [Broad] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Office ADMX Deployment | ADMX file for Office

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace Devices-Windows Autopatch-Fast
                • Modern Workplace Devices-Windows Autopatch-Broad
                | | | +| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace Devices-Windows Autopatch-Fast
                • Modern Workplace Devices-Windows Autopatch-Broad
                | | | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                |
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 0
                • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-First
                |
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 0
                • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Fast
                |
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 3
                • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Broad
                  • |
                  • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                  • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 7
                  • | + +## Microsoft Edge update policies + +- Modern Workplace - Edge Update ADMX Deployment +- Modern Workplace - Edge Update Channel Stable +- Modern Workplace - Edge Update Channel Beta + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | | | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | + +## Conditional access policies + +> [!NOTE] +> Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition. + +| Conditional access policy | Description | +| ----- | ----- | +| Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. | + +## PowerShell scripts + +| Script | Description | +| ----- | ----- | +| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 2dfc4dc841..3463887878 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -2,23 +2,23 @@ title: Access Control Overview (Windows 10) description: Access Control Overview ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 07/18/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Access Control Overview -**Applies to** -- Windows 10 -- Windows Server 2016 - This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. ## Feature description diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index b6149dcddb..cf62379ed8 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -2,25 +2,26 @@ title: Local Accounts (Windows 10) description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 06/17/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Local Accounts -**Applies to** -- Windows 11 -- Windows 10 -- Windows Server 2019 -- Windows Server 2016 - This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. ## About local user accounts @@ -116,13 +117,13 @@ In addition, the guest user in the Guest account shouldn't be able to view the e The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. -HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the users invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. +HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. **Security considerations** The SIDs that pertain to the default HelpAssistant account include: -- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services are called Terminal Services. +- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services. - SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 9184e9a43d..b1d3c58e26 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,15 +1,17 @@ --- title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. -ms.reviewer: ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- @@ -25,7 +27,7 @@ S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. -Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. +Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email. ## About digital signatures @@ -80,7 +82,7 @@ When you receive an encrypted message, the mail app will check whether there is ## Install certificates from a received message -When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person. +When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person. 1. Open a signed email. @@ -89,4 +91,4 @@ When you receive a signed email, the app provide feature to install correspondin 3. Tap **Install.** :::image type="content" alt-text="message security information." source="images/installcert.png"::: -  \ No newline at end of file +  diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 5be4c34c1e..ae0b3c7b76 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -3,13 +3,13 @@ title: Additional mitigations description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: --- # Additional mitigations @@ -18,7 +18,7 @@ Windows Defender Credential Guard can provide mitigation against attacks on deri ## Restricting domain users to specific domain-joined devices -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. ### Kerberos armoring @@ -32,7 +32,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, ### Protecting domain-joined device secrets -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: - Devices' accounts are in Windows Server 2012 domain functional level or higher. @@ -96,13 +96,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` -### Restricting user sign on +### Restricting user sign-on So we now have completed the following: - Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on - Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: - User accounts are in a Windows Server 2012 domain functional level or higher domain. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 7b1cc141be..22f3e34740 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -3,23 +3,23 @@ title: Advice while using Windows Defender Credential Guard (Windows) description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/31/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Considerations when using Windows Defender Credential Guard -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported. @@ -80,8 +80,8 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a |Credential Type | Windows version | Behavior |---|---|---| | Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | -| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. -| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected. +| Password | Windows 10 v1709 or later | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. +| Password | Windows 10 v1703 | If the user signed in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected. | Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data. Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 787063e450..b48fb5bbb3 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -3,24 +3,23 @@ title: How Windows Defender Credential Guard works description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # How Windows Defender Credential Guard works -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - - Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index b76dd3d133..e190e70c49 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -3,24 +3,22 @@ title: Windows Defender Credential Guard - Known issues (Windows) description: Windows Defender Credential Guard - Known issues in Windows Enterprise ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 01/26/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Windows Defender Credential Guard: Known issues -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index a2392e3e3c..1b61031be8 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -3,9 +3,10 @@ title: Manage Windows Defender Credential Guard (Windows) description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: v-tappelgate -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: - M365-identity-device-management - highpri @@ -13,17 +14,14 @@ ms.topic: article ms.custom: - CI 120967 - CSSTroubleshooting +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Manage Windows Defender Credential Guard - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 -- Windows Server 2022 - ## Enable Windows Defender Credential Guard Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index fba979bcbb..445168ffc1 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -3,23 +3,23 @@ title: Windows Defender Credential Guard protection limits & mitigations (Window description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Credential Guard protection limits and mitigations -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) in the Deep Dive into Windows Defender Credential Guard video series. @@ -123,13 +123,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` -#### Restricting user sign on +#### Restricting user sign-on So we now have completed the following: - Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on - Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. +- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. Authentication policies have the following requirements: - User accounts are in a Windows Server 2012 domain functional level or higher domain. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md index 1b47f91c82..ba9aa464db 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md @@ -3,23 +3,22 @@ title: Windows Defender Credential Guard protection limits (Windows) description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Windows Defender Credential Guard protection limits -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - Some ways to store credentials are not protected by Windows Defender Credential Guard, including: - Software that manages credentials outside of Windows feature protection diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index cd0217dffe..e4d7f90a39 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -3,25 +3,25 @@ title: Windows Defender Credential Guard Requirements (Windows) description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.date: 12/27/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Credential Guard: Requirements -## Applies to - -- Windows 11 -- Windows 10 -- Windows Server 2019 -- Windows Server 2016 - For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). ## Hardware and software requirements diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index ac96f2cc37..d235f8a2dc 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -3,18 +3,17 @@ title: Scripts for Certificate Issuance Policies in Windows Defender Credential description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. ms.prod: m365-security ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.date: 08/17/2017 -ms.reviewer: --- # Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies - Here is a list of scripts mentioned in this topic. ## Get the available issuance policies on the certificate authority diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 08cb1d98b8..db31018523 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -1,28 +1,28 @@ --- title: Protect derived domain credentials with Windows Defender Credential Guard (Windows) description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.reviewer: ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.date: 03/10/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Protect derived domain credentials with Windows Defender Credential Guard -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - -Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. +Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By enabling Windows Defender Credential Guard, the following features and solutions are provided: diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index 1128ef5604..603dcc1d9c 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -3,23 +3,22 @@ title: Windows Defender Device Guard and Windows Defender Credential Guard hardw description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script ms.prod: m365-security ms.localizationpriority: medium -author: SteveSyfuhs -ms.author: stsyfuhs -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: erikdau +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 -- Windows Server 2022 - ```powershell # Script to find out if a machine is Device Guard compliant. # The script requires a driver verifier present on the system. diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index bba1605784..facbb090b1 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -1,23 +1,22 @@ --- title: Enterprise Certificate Pinning description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name. -author: dulcemontemayor -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.prod: m365-security ms.technology: windows-sec ms.localizationpriority: medium ms.date: 07/27/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Enterprise Certificate Pinning -**Applies to** -- Windows 10 - Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name. Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. @@ -99,7 +98,7 @@ The **Certificate** element can have the following attributes. | **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
                  - single certificate
                  - p7b
                  - sst
                  These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). | | **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | | **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
                  - single certificate
                  - p7b
                  - sst
                  This allows the certificates to be included in the XML file without a file directory dependency.
                  Note:
                  You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). | -| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
                  If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
                  If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
                  For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
                  If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
                  If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.
                  For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element @@ -107,7 +106,7 @@ The **Site** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| -| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
                  - If the DNS name has a leading "*", it's removed.
                  - Non-ASCII DNS name is converted to ASCII Puny Code.
                  - Upper case ASCII characters are converted to lower case.
                  If the normalized name has a leading ".", then, wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
                  - If the DNS name has a leading "*", it's removed.
                  - Non-ASCII DNS name is converted to ASCII Puny Code.
                  - Upper case ASCII characters are converted to lower case.
                  If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| | **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
                  For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md index af4b0207cd..c84b17cee4 100644 --- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md +++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md @@ -2,14 +2,14 @@ title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/15/2019 -ms.reviewer: --- # WebAuthn APIs for password-less authentication on Windows diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 46c5ce15d2..50dac1c934 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -2,22 +2,20 @@ title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 03/20/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Multi-factor Unlock -**Applies to:** - -- Windows 10 -- Windows 11 - **Requirements:** * Windows Hello for Business deployment (Cloud, Hybrid or On-premises) * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index a22fdc4c4b..1c3acf11f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -2,14 +2,17 @@ title: Azure Active Directory join cloud only deployment description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 06/23/2021 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Azure Active Directory join cloud only deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 201f155223..edba592b4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -2,24 +2,23 @@ title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 or later +- ✅ Hybrid or On-Premises deployment +- ✅ Key trust --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -**Applies to** - -- Windows 10, version 1703 or later, or Windows 11 -- Windows Server, versions 2016 or later -- Hybrid or On-Premises deployment -- Key trust - > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). @@ -90,7 +89,7 @@ Using the same methods described above, monitor the Kerberos authentication afte ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` -Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. +Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 409d7ad594..0b82e155e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,23 +1,21 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.reviewer: ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello and password changes -**Applies to** - -- Windows 10 -- Windows 11 - When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. ## Example diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 1b7fc74348..ebbea60361 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -2,24 +2,23 @@ title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 01/12/2021 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello biometrics in the enterprise -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. >[!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 7c1152e8bf..da1d9d6154 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -2,24 +2,22 @@ title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 01/14/2021 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index eda6b35e15..36186166cf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -2,25 +2,24 @@ title: Configure Windows Hello for Business Policy settings - certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 08/20/2018 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Configure Windows Hello for Business Policy settings - Certificate Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 281f5bf449..9d4ca3a2f5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -2,24 +2,22 @@ title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Validate Active Directory prerequisites for cert-trust deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 865759bf10..5ec79ae891 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -2,24 +2,22 @@ title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Validate and Deploy Multi-Factor Authentication feature -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index d6356353aa..578db1bd4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -2,25 +2,22 @@ title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - - Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 278560bbc5..21b67500a6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -2,24 +2,22 @@ title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment description: A guide to on premises, certificate trust Windows Hello for Business deployment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust --- # On Premises Certificate Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index afe7fdf157..0f2c45e2f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -2,9 +2,10 @@ title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 47d8b38c53..43ff73fc92 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -3,14 +3,14 @@ title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues params: siblings_only ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/03/2021 -ms.reviewer: --- # Windows Hello for Business Known Deployment Issues diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 280f51120d..faab624132 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -2,24 +2,22 @@ title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to on premises, key trust Windows Hello for Business deployment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # On Premises Key Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 5df469ff3e..d0cc1cad93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -2,25 +2,23 @@ title: Deploying Certificates to Key Trust Users to Enable RDP description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/22/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Deploying Certificates to Key Trust Users to Enable RDP -**Applies To** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 631d982e36..d995550c13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,24 +2,23 @@ title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: troubleshooting ms.localizationpriority: medium ms.date: 05/05/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello errors during PIN creation -**Applies to** - -- Windows 10 -- Windows 11 - When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. ## Where is the error code? @@ -70,6 +69,8 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| + ## Errors with unknown mitigation diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index 3e481d0f4d..8fa58bce19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,24 +1,22 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.reviewer: ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Event ID 300 - Windows Hello successfully created -**Applies to** - -- Windows 10 -- Windows 11 - This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 2f77d6ba0e..5900a1444c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -8,20 +8,22 @@ metadata: ms.sitesec: library ms.pagetype: security, mobile audience: ITPro - author: GitPrakhar13 - ms.author: prsriva - manager: dansimp + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: faq localizationpriority: medium ms.date: 02/21/2022 + appliesto: + - ✅ Windows 10 + - ✅ Windows 11 title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | - Applies to: Windows 10 - sections: - name: Ignored @@ -31,6 +33,7 @@ sections: answer: | Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). + - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. @@ -42,6 +45,7 @@ sections: - question: Can I use Windows Hello for Business key trust and RDP? answer: | Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. + - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | @@ -57,9 +61,8 @@ sections: - question: How can a PIN be more secure than a password? answer: | - The Windows Hello for Business PIN isn't a symmetric key, whereas a password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. - - The statement "PIN is stronger than Password" isn't directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multi-factor Unlock](feature-multifactor-unlock.md) feature. + When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. + The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - question: How does Windows Hello for Business work with Azure AD registered devices? answer: | @@ -123,9 +126,9 @@ sections: - question: What's the difference between non-destructive and destructive PIN reset? answer: | - Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). + Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). - Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. + Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | Which is better or more secure, key trust or certificate trust? @@ -149,7 +152,31 @@ sections: - question: Is Windows Hello for Business multi-factor authentication? answer: | Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". - + + - question: Where is Windows Hello biometrics data stored? + answer: | + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + + - question: What is the format used to store Windows Hello biometrics data on the device? + answer: | + Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. + + - question: Who has access on Windows Hello biometrics data? + answer: | + Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it. + + - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? + answer: | + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. + + - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? + answer: | + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). + + - question: What about any diagnostic data coming out when WHFB is enabled? + answer: | + To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + - question: What are the biometric requirements for Windows Hello for Business? answer: | Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. @@ -206,7 +233,7 @@ sections: answer: | Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business don't require a TPM. Administrators can choose to allow key operations in software. - Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register). + Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against various known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to reauthenticate to the IDP before the IDP allows them to re-register). - question: Can Windows Hello for Business work in air-gapped environments? answer: | @@ -223,9 +250,9 @@ sections: | Protocol | Description | | :---: | :--- | | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | - | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | + | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. | | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | - | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | + | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define other claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define more provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | @@ -235,3 +262,4 @@ sections: - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD. + diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 5dac00754e..2acbb4823a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -2,14 +2,14 @@ title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/09/2019 -ms.reviewer: --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 445df8f5a8..489d5513cf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -2,14 +2,14 @@ title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/09/2019 -ms.reviewer: --- # Dual Enrollment diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index bdd56753a1..4fbe94952d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -2,22 +2,21 @@ title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 07/12/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Dynamic lock -**Requirements:** - -* Windows 10, version 1703 or later - Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 5d90ae5f90..5b2df11202 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,10 +1,11 @@ --- title: Pin Reset -description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. +description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri @@ -22,38 +23,49 @@ Windows Hello for Business provides the capability for users to reset forgotten There are two forms of PIN reset: -- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new log in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. +- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. - **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature. ## Using PIN reset + +There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. + +**Requirements** + +- Reset from settings - Windows 10, version 1703 or later, Windows 11 +- Reset above Lock - Windows 10, version 1709 or later, Windows 11 + Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. + >[!IMPORTANT] >For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. ### Reset PIN from Settings -1. Sign-in to Windows 10 using an alternate credential -1. Open **Settings**, select **Accounts** > **Sign-in options** -1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions +1. Sign-in to Windows 10 using an alternate credential. +1. Open **Settings**, select **Accounts** > **Sign-in options**. +1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions. + ### Reset PIN above the Lock Screen For Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon -1. Select **I forgot my PIN** from the PIN credential provider -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key) -1. Follow the instructions provided by the provisioning process -1. When finished, unlock your desktop using your newly created PIN +1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. Select **I forgot my PIN** from the PIN credential provider. +1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key). +1. Follow the instructions provided by the provisioning process. +1. When finished, unlock your desktop using your newly created PIN. + For Hybrid Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon -1. Select **I forgot my PIN** from the PIN credential provider -1. Enter your password and press enter -1. Follow the instructions provided by the provisioning process -1. When finished, unlock your desktop using your newly created PIN +1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. Select **I forgot my PIN** from the PIN credential provider. +1. Enter your password and press enter. +1. Follow the instructions provided by the provisioning process. +1. When finished, unlock your desktop using your newly created PIN. > [!NOTE] > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. @@ -65,16 +77,36 @@ You may find that PIN reset from settings only works post login, and that the "l **Requirements:** - Azure Active Directory +- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. - Hybrid Windows Hello for Business deployment - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined + When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment. >[!IMPORTANT] +> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11. +> The Microsoft PIN Reset service is not currently available in Azure Government. + +### Summary + +|Category|Destructive PIN Reset|Non-Destructive PIN Reset| +|--- |--- |--- | +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| +|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| +|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| +|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| +|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| +|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| + +### Onboarding the Microsoft PIN reset service to your Intune tenant + > The **Microsoft PIN Reset Service** is not currently available in Azure Government. + ### Enable the Microsoft PIN Reset Service in your Azure AD tenant Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant: @@ -84,21 +116,21 @@ Before you can remotely reset PINs, you must register two applications in your A #### Connect Azure Active Directory with the PIN Reset Service -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant -1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization +1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) #### Connect Azure Active Directory with the PIN Reset Client -1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant -1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization +1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) #### Confirm that the two PIN Reset service principals are registered in your tenant -1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com) -1. Select **Azure Active Directory** > **Applications** > **Enterprise applications** -1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list +1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com). +1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**. +1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list. :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png"::: ### Enable PIN Recovery on your devices @@ -109,39 +141,39 @@ Before you can remotely reset PINs, your devices must be configured to enable PI You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) -1. Select **Devices** > **Configuration profiles** > **Create profile** +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Select **Devices** > **Configuration profiles** > **Create profile**. 1. Enter the following properties: - - **Platform**: Select **Windows 10 and later** - - **Profile type**: Select **Settings catalog** -1. Select **Create** + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Settings catalog**. +1. Select **Create**. 1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile - - **Description**: Enter a description for the profile. This setting is optional, but recommended -1. Select **Next** -1. In **Configuration settings**, select **Add settings** -1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery** -1. Configure **Enable Pin Recovery** to **true** -1. Select **Next** -1. In **Scope tags**, assign any applicable tags (optional) -1. Select **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Review + create**, review your settings and select **Create** + - **Name**: Enter a descriptive name for the profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. +1. Select **Next**. +1. In **Configuration settings**, select **Add settings**. +1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**. +1. Configure **Enable Pin Recovery** to **true**. +1. Select **Next**. +1. In **Scope tags**, assign any applicable tags (optional). +1. Select **Next**. +1. In **Assignments**, select the security groups that will receive the policy. +1. Select **Next**. +1. In **Review + create**, review your settings and select **Create**. >[!NOTE] > You can also configure PIN recovery from the **Endpoint security** blade: -> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) -> 1. Select **Endpoint security** > **Account protection** > **Create Policy** +> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +> 1. Select **Endpoint security** > **Account protection** > **Create Policy**. #### [✅ **GPO**](#tab/gpo) You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO). -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory -1. Edit the Group Policy object from Step 1 -1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** -1. Close the Group Policy Management Editor to save the Group Policy object +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. +1. Edit the Group Policy object from Step 1. +1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. +1. Close the Group Policy Management Editor to save the Group Policy object. #### [✅ **CSP**](#tab/csp) @@ -198,6 +230,44 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a +----------------------------------------------------------------------+ ``` +## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices + +**Applies to:** + +- Windows 10, version 1803 or later +- Windows 11 +- Azure AD joined + +The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. + +### Configuring Policy Using Intune + +1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. + +1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**. + +1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create. + +1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next. + +1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings: + + - **Name:** Web Sign In Allowed URLs + - **Description:** (Optional) List of domains that are allowed during PIN reset flows. + - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls + - **Data type:** String + - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks) + + :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: + +1. Click the **Save** button to save the custom configuration. + +1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button. + +1. On the Applicability rules page, click **Next**. + +1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. + ### Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. @@ -205,28 +275,29 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au #### Configure Web Sign-in Allowed URLs using Microsoft Intune -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. Select **Devices** > **Configuration profiles** > **Create profile** +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Configuration profiles** > **Create profile**. 1. Enter the following properties: - - **Platform**: Select **Windows 10 and later** - - **Profile type**: Select **Templates** - - In the list of templates that is loaded, select **Custom** > **Create** + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Templates**. + - In the list of templates that is loaded, select **Custom** > **Create**. 1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile - - **Description**: Enter a description for the profile. This setting is optional, but recommended -1. Select **Next** + - **Name**: Enter a descriptive name for the profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. +1. Select **Next**. 1. In **Configuration settings**, select **Add** and enter the following settings: - Name: **Web Sign In Allowed URLs** - Description: **(Optional) List of domains that are allowed during PIN reset flows** - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` - Data type: **String** - - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks) + - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks). :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png"::: -1. Select **Save** > **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Applicability Rules**, select **Next** -1. In **Review + create**, review your settings and select **Create** +1. Select **Save** > **Next**. +1. In **Assignments**, select the security groups that will receive the policy. +1. Select **Next**. +1. In **Applicability Rules**, select **Next**. +1. In **Review + create**, review your settings and select **Create**. + > [!NOTE] > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index b622e6277f..6e297b92e3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -2,14 +2,14 @@ title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/24/2021 -ms.reviewer: --- # Remote Desktop diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 76b94b5ddb..909df0b77b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -2,22 +2,20 @@ title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business and Authentication -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources. Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index c81ed991e1..7d93ef16b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -2,22 +2,20 @@ title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 2/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business Provisioning -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: - How the device is joined to Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 1813f3e403..ff24499d85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -2,23 +2,21 @@ title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 10/08/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Technology and terms -**Applies to:** - -- Windows 10 -- Windows 11 - ## Attestation identity keys Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 768b3a0e02..cb5b134268 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -2,22 +2,20 @@ title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/05/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How Windows Hello for Business works in Windows Devices -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 51f303b2ba..c936ab0e6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -2,26 +2,24 @@ title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 01/14/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Azure Active Directory-join +- ✅ Hybrid Deployment +- ✅ Key trust --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business - -**Applies to** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid Deployment -- Key trust model - ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 53931e113c..875fe62728 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -2,26 +2,24 @@ title: Using Certificates for AADJ On-premises Single-sign On single sign-on description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Azure AD-join +- ✅ Hybrid Deployment +- ✅ Certificate trust --- # Using Certificates for AADJ On-premises Single-sign On -**Applies to:** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid Deployment -- Certificate trust - If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 1acba0f5b3..0842bb52e6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -2,24 +2,20 @@ title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Azure AD Join Single Sign-on Deployment -**Applies to** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid deployment - Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 546fe98a8e..1dbae77cc3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 2d15af954c..b35fa21dac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -2,24 +2,22 @@ title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index edba57fd05..b6d189d7c1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index f9c3cf3feb..72086e9d13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -2,24 +2,22 @@ title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/08/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Certificate Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index f6e69dad32..6721675b09 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index f8b0c788c1..230a694361 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -2,24 +2,22 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index ed13229f6a..03989ad22c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -2,24 +2,22 @@ title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 3dea044165..7e29ef7f6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -2,25 +2,23 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate Trust - ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 0a7da03055..e604fc736f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -2,25 +2,23 @@ title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid Deployment -- Certificate Trust - Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index bba12adf27..2708e9a22c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -2,23 +2,22 @@ title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index ec22d31a65..c0ba9ce415 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -2,24 +2,22 @@ title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 1f4f7f1f17..e8589d8b29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -2,22 +2,20 @@ title: Hybrid Cloud Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 2/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 21H2 and later +- ✅ Windows 11 --- # Hybrid Cloud Trust Deployment (Preview) -Applies to - -- Windows 10, version 21H2 -- Windows 11 and later - Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. ## Introduction to Cloud Trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 66a720d026..98599d9132 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -2,25 +2,22 @@ title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - - Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 4d064c210c..49cd5d3b42 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -2,25 +2,22 @@ title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/04/2022 -ms.reviewer: prsriva - +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 299e93c00c..d3e68887fd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -2,24 +2,22 @@ title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0850fae7f7..b732396e36 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -2,24 +2,21 @@ title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. ms.prod: m365-security -author: mapalko -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: @@ -35,7 +32,7 @@ The distributed systems on which these technologies were built involved several Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. @@ -90,7 +87,7 @@ The minimum required Enterprise certificate authority that can be used with Wind The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. -Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect. +Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 833968247b..7a7e3f3eed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -2,24 +2,22 @@ title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Key Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 925d6d12e8..4b009fe228 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -2,24 +2,21 @@ title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning - -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index bbdde28351..49124b1ddf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -2,23 +2,22 @@ title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 0ed4142f70..1092173f9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 5f2d0ed289..8a9e8ee322 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -2,25 +2,22 @@ title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 04/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- - # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid Deployment -- Key trust - Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 26b31e209b..4522c3b93d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -2,24 +2,22 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 29c29de56f..ea0439b451 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -2,24 +2,22 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. > [!IMPORTANT] @@ -36,10 +34,6 @@ For the most efficient deployment, configure these technologies in order beginni > [!div class="step-by-step"] > [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) -

                  - -
                  - ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 185768fe63..7a9e8e62b1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -2,9 +2,10 @@ title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index d2c141ca3a..8761b3eaf6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -2,24 +2,22 @@ title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 5baf31a055..b954e4d073 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -2,25 +2,22 @@ title: Configure Windows Hello for Business Policy settings - key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Configure Windows Hello for Business Policy settings - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - - You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index c8227d9536..64195a8b82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -2,24 +2,22 @@ title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Validate Active Directory prerequisites - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 968ae0d5b0..81e0df5016 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -2,27 +2,25 @@ title: Validate and Deploy MFA for Windows Hello for Business with key trust description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Validate and Deploy Multifactor Authentication (MFA) > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 809720fdba..d12ad32ade 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -2,25 +2,22 @@ title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- - # Validate and Configure Public Key Infrastructure - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index deba83abae..7127970af5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -2,24 +2,23 @@ title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 2/15/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Manage Windows Hello for Business in your organization -**Applies to** - -- Windows 10 -- Windows 11 - You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 37a81d4995..6a355853aa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,25 +1,22 @@ --- title: Windows Hello for Business Overview (Windows) -ms.reviewer: An overview of Windows Hello for Business description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: conceptual localizationpriority: medium +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Windows Hello for Business Overview -**Applies to** - -- Windows 10 -- Windows 11 - In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 3212485067..c1dc768999 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -2,23 +2,22 @@ title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: conceptual ms.date: 09/16/2020 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Planning a Windows Hello for Business Deployment -**Applies to** - -- Windows 10 -- Windows 11 - Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 6b57daee9c..89efd738ea 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,24 +1,21 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.reviewer: ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Prepare people to use Windows Hello -**Applies to** - -- Windows 10 -- Windows 11 - When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 05c92d9ba2..cf437e3bee 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -2,22 +2,19 @@ title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 07/26/2022 -ms.reviewer: paoloma +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business Videos - -**Applies to** - -- Windows 10 -- Windows 11 - ## Overview of Windows Hello for Business and Features Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index ef30d59ed1..887d2893eb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -2,24 +2,22 @@ title: Why a PIN is better than an online password (Windows) description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password . ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 10/23/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Why a PIN is better than an online password -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 62c038bd6b..bdd841ab2c 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -8,9 +8,10 @@ metadata: description: Learn how to manage and deploy Windows Hello for Business. ms.prod: m365-security ms.topic: landing-page - author: GitPrakhar13 - manager: dansimp - ms.author: prsriva + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: prsriva ms.date: 01/22/2021 ms.collection: - M365-identity-device-management diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index 75645f288d..2d0f9aed02 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -2,14 +2,14 @@ title: Microsoft-compatible security key description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 11/14/2018 -ms.reviewer: --- # What is a Microsoft-compatible security key? diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 74765dffac..be9b81f965 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -2,14 +2,17 @@ title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: conceptual localizationpriority: medium ms.date: 05/24/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Password-less strategy diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index e2f9b9e978..3818cf29e6 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -2,14 +2,14 @@ title: Reset-security-key description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 11/14/2018 -ms.reviewer: --- # How to reset a Microsoft-compatible security key? > [!Warning] diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 29e42655ab..aaca362314 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -2,21 +2,18 @@ title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. ms.prod: m365-security -author: mapalko ms.localizationpriority: high -ms.author: mapalko +author: paolomatarazzo +ms.author: paoloma ms.date: 10/16/2017 -ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How Windows Hello for Business works in Windows devices -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. ## Register a new user or device @@ -58,14 +55,14 @@ Containers can contain several types of key material: - An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. - Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. -- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: +- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. ## How keys are protected -Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. +Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. @@ -74,7 +71,7 @@ Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protect When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. -These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. +These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication anytime a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device. For example, the authentication process for Azure Active Directory works like this: diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index 330cc0041d..ee523e79f7 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -2,18 +2,21 @@ title: Identity and access management (Windows 10) description: Learn more about identity and access protection technologies in Windows. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 02/05/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Identity and access management -Learn more about identity and access management technologies in Windows 10. +Learn more about identity and access management technologies in Windows 10 and Windows 11. | Section | Description | |-|-| diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md index 5cc29b63a0..a48a887b72 100644 --- a/windows/security/identity-protection/password-support-policy.md +++ b/windows/security/identity-protection/password-support-policy.md @@ -1,16 +1,15 @@ --- title: Technical support policy for lost or forgotten passwords description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. -ms.reviewer: kaushika -manager: kaushika ms.custom: - CI ID 110060 - CSSTroubleshoot -ms.author: v-tappelgate ms.prod: m365-security -author: Teresa-Motiv ms.topic: article ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.date: 11/20/2019 --- diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index a477d48218..4d160b97b2 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,22 +2,21 @@ title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 01/12/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Protect Remote Desktop credentials with Windows Defender Remote Credential Guard -**Applies to** -- Windows 10 -- Windows Server 2016 - Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 101b50087d..613d27bf02 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -2,20 +2,23 @@ title: Smart Card and Remote Desktop Services (Windows) description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- - # Smart Card and Remote Desktop Services -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process. @@ -60,7 +63,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services ### Remote Desktop Services and smart card sign-in -Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password. +Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password. In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index ddc63b2e02..3fa8e4255e 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -2,20 +2,24 @@ title: Smart Card Architecture (Windows) description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Architecture -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter. @@ -118,7 +122,7 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card. -To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it require multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times. +To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times. The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index ad0699cf6a..ef2c516483 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -2,20 +2,24 @@ title: Certificate Propagation Service (Windows) description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 08/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate Propagation Service -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 701f3dccd8..df7c9505b6 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -2,20 +2,24 @@ title: Certificate Requirements and Enumeration (Windows) description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate Requirements and Enumeration -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. When a smart card is inserted, the following steps are performed. diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 50881d1ef8..7f0143c568 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -2,21 +2,26 @@ title: Smart Card Troubleshooting (Windows) description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Troubleshooting -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 9585fdfb5e..a750b165ca 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -2,51 +2,47 @@ title: Smart Card Events (Windows) description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Events -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization. -- [Smart card reader name](#smart-card-reader-name) - -- [Smart card warning events](#smart-card-warning-events) - -- [Smart card error events](#smart-card-error-events) - -- [Smart card Plug and Play events](#smart-card-plug-and-play-events) - +- [Smart card reader name](#smart-card-reader-name) +- [Smart card warning events](#smart-card-warning-events) +- [Smart card error events](#smart-card-error-events) +- [Smart card Plug and Play events](#smart-card-plug-and-play-events) ## Smart card reader name -The Smart Card resource manager does not use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. +The Smart Card resource manager doesn't use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. The following three attributes are used to construct the smart card reader name: -- Vendor name - -- Interface device type - -- Device unit +- Vendor name +- Interface device type +- Device unit The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information: -- Vendor name: Contoso - -- Interface device type: Smart Card Reader - -- Device unit: 0 +- Vendor name: Contoso +- Interface device type: Smart Card Reader +- Device unit: 0 ## Smart card warning events @@ -54,8 +50,8 @@ The smart card reader device name is constructed in the form <*VendorName*> | **Event ID** | **Warning Message** | **Description** | |--------------|---------|--------------------------------------------------------------------------------------------| -| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.

                  %1 = Windows error code
                  %2 = Smart card reader name
                  %3 = IOCTL being canceled
                  %4 = First 4 bytes of the command that was sent to the smart card | -| 619 | Smart Card Reader '%2' has not responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader has not responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader does not respond for 150 seconds. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.

                  %1 = Number of seconds the IOCTL has been waiting
                  %2 = Smart card reader name
                  %3 = IOCTL sent
                  %4 = First 4 bytes of the command that was sent to the smart card | +| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

                  %1 = Windows error code
                  %2 = Smart card reader name
                  %3 = IOCTL being canceled
                  %4 = First 4 bytes of the command that was sent to the smart card | +| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

                  %1 = Number of seconds the IOCTL has been waiting
                  %2 = Smart card reader name
                  %3 = IOCTL sent
                  %4 = First 4 bytes of the command that was sent to the smart card | ## Smart card error events @@ -67,7 +63,7 @@ The smart card reader device name is constructed in the form <*VendorName*> | 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
                  %1 = Name of the smart card reader that is duplicated | | 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | | 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. | -| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. | +| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. | | 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | | 504 | Resource Manager cannot create shutdown event flag:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                  %1 = Windows error code | | 506 | Smart Card Resource Manager failed to register service:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                  %1 = Windows error code | @@ -95,10 +91,10 @@ The smart card reader device name is constructed in the form <*VendorName*> | 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                  %1 = Windows error code | | 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
                  %1 = Windows error code
                  %2 = Name of the smart card reader
                  %3 = IOCTL that was sent
                  %4 = First 4 bytes of the command sent to the smart card
                  These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.| | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | -| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                  %1 = Windows error code | -| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                  %1 = Windows error code | -| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                  %1 = Windows error code
                  %2 = Reader name | -| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
                  %1 = Smart card reader name | +| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                  %1 = Windows error code | +| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                  %1 = Windows error code | +| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                  %1 = Windows error code
                  %2 = Reader name | +| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
                  %1 = Smart card reader name | | 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | | 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                  %1 = Windows error code
                  These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. | | 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
                  %1 = Windows error code | diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 897140b630..2b1c30addd 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -2,20 +2,24 @@ title: Smart Card Group Policy and Registry Settings (Windows) description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 11/02/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Group Policy and Registry Settings -Applies to: Windows 10, Windows 11, Windows Server 2016 and above - This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers. @@ -89,7 +93,7 @@ The following table lists the default values for these GPO settings. Variations ### Allow certificates with no extended key usage certificate attribute -You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in. +You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign-in. > [!NOTE] > Enhanced key usage certificate attribute is also known as extended key usage. @@ -145,9 +149,9 @@ When this setting isn't turned on, the feature is not available. ### Allow signature keys valid for Logon -You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign in. +You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in. -When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. +When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen. @@ -160,7 +164,7 @@ When this setting isn't turned on, certificates available on the smart card with ### Allow time invalid certificates -You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in. +You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign-in. > [!NOTE] > Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer. @@ -178,7 +182,7 @@ When this policy setting isn't turned on, certificates that are expired or not y ### Allow user name hint -You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user. +You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user. When this policy setting is turned on, users see an optional field where they can enter their username or username and domain. @@ -191,7 +195,7 @@ When this policy setting isn't turned on, users don't see this optional field. | Policy management | Restart requirement: None
                  Sign off requirement: None
                  Policy conflicts: None | | Notes and resources | | -### Configure root certificate clean up +### Configure root certificate clean-up You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. @@ -251,17 +255,17 @@ This policy setting is applied to the computer after the [Allow time invalid cer ### Force the reading of all certificates from the smart card -You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card. +You can use this policy setting to manage how Windows reads all certificates from the smart card for sign-in. During sign-in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card. -When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set. +When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set. -When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in. +When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in. | **Item** | **Description** | |--------------------------------------|----------------------------------------------------------------------------| | Registry key | **ForceReadingAllCertificates** | | Default values | No changes per operating system versions
                  Disabled and not configured are equivalent | -| Policy management | Restart requirement: None
                  Sign off requirement: None
                  Policy conflicts: None

                  **Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. | +| Policy management | Restart requirement: None
                  Sign off requirement: None
                  Policy conflicts: None

                  **Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. | | Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. | ### Notify user of successful smart card driver installation @@ -299,12 +303,12 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs. ### Reverse the subject name stored in a certificate when displaying -You can use this policy setting to control the way the subject name appears during sign in. +You can use this policy setting to control the way the subject name appears during sign-in. > [!NOTE] > To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization. -When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate. +When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate. When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 9fb023c25f..4019c75ad2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -2,21 +2,26 @@ title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # How Smart Card Sign-in Works in Windows -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use: - [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them. diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 5757f75aa1..79ce85481a 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -2,20 +2,24 @@ title: Smart Card Removal Policy Service (Windows) description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Removal Policy Service -Applies To: Windows 10, Windows 11, Windows Server 2016 - This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). @@ -26,7 +30,7 @@ The smart card removal policy service is applicable when a user has signed in wi The numbers in the previous figure represent the following actions: -1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign in was initiated. +1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated. 2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred. diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index 0345ccac67..4acfbe37c2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -2,20 +2,24 @@ title: Smart Cards for Windows Service (Windows) description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Cards for Windows Service -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://pcscworkgroup.com/). diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index a7c1c2bfa4..faab6d1c50 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -2,20 +2,24 @@ title: Smart Card Tools and Settings (Windows) description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Tools and Settings -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. This section of the Smart Card Technical Reference contains information about the following: diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 7f577b80dd..7899c14e50 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -2,20 +2,24 @@ title: Smart Card Technical Reference (Windows) description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: ardenw +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Smart Card Technical Reference -Applies To: Windows 10, Windows 11, Windows Server 2016 and above - The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise. ## Audience diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index ded2f140d2..42aca41a0a 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -1,26 +1,27 @@ --- title: How User Account Control works (Windows) description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. -ms.reviewer: ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/23/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # How User Account Control works -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. ## UAC process and interactions diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index eb97277ed7..e54d14dafe 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -2,25 +2,25 @@ title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # User Account Control Group Policy and registry key settings - -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 2e12c5d66e..e9b562bbe0 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,26 +1,27 @@ --- title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. -ms.reviewer: ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.date: 09/24/2011 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # User Account Control -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index d5a71d6a7b..cacda816c0 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,27 +1,27 @@ --- title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. -ms.reviewer: ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: sulahiri +manager: aaroncz ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 09/24/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # User Account Control security policy settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - - You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. ## User Account Control: Admin Approval Mode for the Built-in Administrator account diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index a6b311b8f1..763ba1f346 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -2,14 +2,16 @@ title: Deploy Virtual Smart Cards (Windows 10) description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Deploy Virtual Smart Cards diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index cb90ff6746..703582c5a0 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -2,20 +2,20 @@ title: Evaluate Virtual Smart Card Security (Windows 10) description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Evaluate Virtual Smart Card Security -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. ## Virtual smart card non-exportability details diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index a1371cb4aa..92cdfe8cdc 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -2,20 +2,20 @@ title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10) description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Get Started with Virtual Smart Cards: Walkthrough Guide -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index f81458d9ea..7d92df7bd0 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -2,20 +2,20 @@ title: Virtual Smart Card Overview (Windows 10) description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: conceptual ms.localizationpriority: medium ms.date: 10/13/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Virtual Smart Card Overview -Applies To: Windows 10, Windows Server 2016 - This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards. **Did you mean…** diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index e6674037f9..37b59cb998 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -2,20 +2,20 @@ title: Tpmvscmgr (Windows 10) description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Tpmvscmgr -Applies To: Windows 10, Windows Server 2016 - The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples). ## Syntax diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 49bd1fbfff..077d990d63 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -2,20 +2,20 @@ title: Understanding and Evaluating Virtual Smart Cards (Windows 10) description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Understanding and Evaluating Virtual Smart Cards -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards. Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 3d09432ada..6cb4ac6fc7 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -2,20 +2,20 @@ title: Use Virtual Smart Cards (Windows 10) description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 10/13/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows Server 2016 --- # Use Virtual Smart Cards -Applies To: Windows 10, Windows Server 2016 - This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them. ## Requirements, restrictions, and limitations diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 647e58e84b..0e77c5aca8 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -2,12 +2,15 @@ title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11) description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: m365-security -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp +manager: aaroncz +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 317751d40d..58e9851817 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -2,11 +2,14 @@ title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.date: 03/22/2022 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 65de4f3780..3434542f7b 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -2,20 +2,19 @@ title: VPN authentication options (Windows 10 and Windows 11) description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN authentication options -**Applies to** -- Windows 10 -- Windows 11 - In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic). Windows supports a number of EAP authentication methods. diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 8b3e2dbebd..2cef6b0692 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -2,20 +2,19 @@ title: VPN auto-triggered profile options (Windows 10 and Windows 11) description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN auto-triggered profile options -**Applies to** -- Windows 10 -- Windows 11 - In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules: - App trigger diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 0912af9374..e33c303053 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -2,22 +2,23 @@ title: VPN and conditional access (Windows 10 and Windows 11) description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps. ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: pesmith +manager: aaroncz ms.localizationpriority: medium ms.date: 09/23/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN and conditional access ->Applies to: Windows 10 and Windows 11 - The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application. >[!NOTE] ->Conditional Access is an Azure AD Premium feature. +>Conditional Access is an Azure AD Premium feature. Conditional Access Platform components used for Device Compliance include the following cloud-based services: diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 75b93889b6..96e77511ad 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -2,20 +2,19 @@ title: VPN connection types (Windows 10 and Windows 11) description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 08/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN connection types -**Applies to** -- Windows 10 -- Windows 11 - Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network. There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 58fa8e9068..c235596b5c 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -2,22 +2,19 @@ title: Windows VPN technical guide (Windows 10 and Windows 11) description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 02/21/2022 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows VPN technical guide - -**Applies to** - -- Windows 10 -- Windows 11 - This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11. To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10). diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index fe3269e28b..d91442912d 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -2,20 +2,19 @@ title: VPN name resolution (Windows 10 and Windows 11) description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN name resolution -**Applies to** -- Windows 10 -- Windows 11 - When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server. The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces. diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 2022a4e863..c54c8c05a4 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -3,14 +3,16 @@ title: Optimizing Office 365 traffic for remote workers with the native Windows description: tbd ms.prod: m365-security ms.topic: article -author: kelleyvice-msft ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: jajo +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index b0cd4195ee..c6a1f32a1b 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -1,22 +1,20 @@ --- title: VPN profile options (Windows 10 and Windows 11) description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. -ms.reviewer: -manager: dansimp +manager: aaroncz ms.prod: m365-security -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: pesmith ms.localizationpriority: medium ms.date: 05/17/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN profile options -**Applies to** - -- Windows 10 -- Windows 11 - Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). >[!NOTE] diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index 291f5adaf9..2fdcf08d5b 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -2,20 +2,18 @@ title: VPN routing decisions (Windows 10 and Windows 10) description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 09/23/2021 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # VPN routing decisions -**Applies to** -- Windows 10 -- Windows 11 - Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection. ## Split tunnel configuration diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 34d9f772e4..31e2845099 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -2,21 +2,19 @@ title: VPN security features description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: m365-security -author: dansimp +author: paolomatarazzo ms.localizationpriority: medium ms.date: 07/21/2022 -ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: paoloma +ms.reviewer: pesmith +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # VPN security features -**Applies to** -- Windows 10 -- Windows 11 - - ## Hyper-V based containers and VPN Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues. diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index abe5fd0462..ced8857c84 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -1,22 +1,21 @@ --- title: Windows Credential Theft Mitigation Guide Abstract description: Provides a summary of the Windows credential theft mitigation guide. -ms.reviewer: ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 04/19/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Credential Theft Mitigation Guide Abstract -**Applies to** -- Windows 10 - This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md index 89b07558ea..24aaa25d9f 100644 --- a/windows/security/includes/improve-request-performance.md +++ b/windows/security/includes/improve-request-performance.md @@ -3,12 +3,12 @@ title: Improve request performance description: Improve request performance search.product: eADQiWindows 10XVcnh ms.prod: m365-security -ms.author: macapara -author: mjcaparas ms.localizationpriority: medium -manager: dansimp ms.collection: M365-security-compliance ms.topic: article +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz --- >[!TIP] diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md index 5d784c2abe..31e3d1ac98 100644 --- a/windows/security/includes/machineactionsnote.md +++ b/windows/security/includes/machineactionsnote.md @@ -3,9 +3,9 @@ title: Perform a Machine Action via the Microsoft Defender for Endpoint API description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API. ms.date: 08/28/2017 ms.reviewer: -manager: dansimp -ms.author: macapara -author: mjcaparas +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.prod: m365-security --- diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md index 288e5a9769..74cfd90cbb 100644 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ b/windows/security/includes/microsoft-defender-api-usgov.md @@ -3,10 +3,10 @@ title: Microsoft Defender for Endpoint API URIs for US Government description: Microsoft Defender for Endpoint API URIs for US Government search.product: eADQiWindows 10XVcnh ms.prod: m365-security -ms.author: macapara -author: mjcaparas +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.localizationpriority: medium -manager: dansimp ms.collection: M365-security-compliance ms.topic: article --- diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md index f3a6cb666b..2bca659e04 100644 --- a/windows/security/includes/microsoft-defender.md +++ b/windows/security/includes/microsoft-defender.md @@ -4,8 +4,9 @@ description: A note in regard to important Microsoft 365 Defender guidance. ms.date: ms.reviewer: manager: dansimp -ms.author: dansimp -author: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.prod: m365-security ms.topic: include --- diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md index bced58da9f..58b056c484 100644 --- a/windows/security/includes/prerelease.md +++ b/windows/security/includes/prerelease.md @@ -3,9 +3,9 @@ title: Microsoft Defender for Endpoint Pre-release Disclaimer description: Disclaimer for pre-release version of Microsoft Defender for Endpoint. ms.date: 08/28/2017 ms.reviewer: -manager: dansimp -ms.author: macapara -author: mjcaparas +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.prod: m365-security --- diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 2f384a46fc..09e60e2f2b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive Logon Message text (Windows 10) description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in. -**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in to the server console. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index ab20a8f979..b16fd3bff2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. -The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in the server console. @@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th ### Best practices -1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values: +1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: - RESTRICTED SYSTEM diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index aee609a7fd..e30b2c517a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -1,6 +1,6 @@ --- title: Script rules in AppLocker (Windows) -description: This topic describes the file formats and available default rules for the script rule collection. +description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: ms.author: macapara @@ -26,10 +26,6 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - - This article describes the file formats and available default rules for the script rule collection. AppLocker defines script rules to include only the following file formats: @@ -44,11 +40,11 @@ The following table lists the default rules that are available for the script ru | Purpose | Name | User | Rule condition type | | - | - | - | - | | Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` | -| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | -| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| - +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| + > [!NOTE] -> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs. +> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. ## Related articles diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index f983d739b8..024c53413c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -22,54 +22,61 @@ ms.technology: windows-sec **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). +As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). -If you have an internal CA, complete these steps to create a code signing certificate. -Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. -ECDSA isn't supported. +If you have an internal CA, complete these steps to create a code signing certificate. -1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. +> [!WARNING] +> Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> +> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). +> - Use RSA SHA-256 only. ECDSA isn't supported. +> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. +> - Keys must be less than or equal to 4K key size +> -2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console. +1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. + +2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console. ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png) Figure 1. Manage the certificate templates -3. In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**. +3. In the navigation pane, right-click the Code Signing certificate, and then select **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list. +4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list. -5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**. +5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**. -6. On the **Request Handling** tab, select the **Allow private key to be exported** check box. +6. On the **Request Handling** tab, select the **Allow private key to be exported** check box. -7. On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**. +7. On the **Extensions** tab, select the **Basic Constraints** check box, and then select **Edit**. -8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. +8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2. ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png) Figure 2. Select constraints on the new template -9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**. +9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**. 10. On the **Subject Name** tab, select **Supply in the request**. 11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate. -12. Click **OK** to create the template, and then close the Certificate Template Console. +12. Select **OK** to create the template, and then close the Certificate Template Console. When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps: -1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3. +1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3. ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png) @@ -77,38 +84,38 @@ When this certificate template has been created, you must publish it to the CA p A list of available templates to issue appears, including the template you created. -2. Select the WDAC Catalog signing certificate, and then click **OK**. +2. Select the WDAC Catalog signing certificate, and then select **OK**. Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps: -1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**. +1. In MMC, from the **File** menu, select **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**. -2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**. +2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then select **Request New Certificate**. -3. Click **Next** twice to get to the certificate selection list. +3. Select **Next** twice to get to the certificate selection list. -4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. +4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4. ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png) Figure 4. Get more information for your code signing certificate -5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.** +5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then select **Add**. When added, select **OK.** -6. Enroll and finish. +6. Enroll and finish. >[!NOTE] >If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. -This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file won't be required because it already exists in your personal store. If you're signing on another computer, you'll need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: +This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing will happen on the same computer you used to request the certificate, you can skip the following steps. If you'll be signing on another computer, you need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: -1. Right-click the certificate, point to **All Tasks**, and then click **Export**. +1. Right-click the certificate, point to **All Tasks**, and then select **Export**. -2. Click **Next**, and then select **Yes, export the private key**. +2. Select **Next**, and then select **Yes, export the private key**. -3. Choose the default settings, and then select **Export all extended properties**. +3. Choose the default settings, and then select **Export all extended properties**. -4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name. +4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name. When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them. @@ -117,4 +124,3 @@ When the certificate has been exported, import it into the personal store for th - [Windows Defender Application Control](windows-defender-application-control.md) - [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) - diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 2d31e8f0f7..f9b070ff3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,6 +1,6 @@ --- -title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows) -description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. +title: Create a WDAC policy using a reference computer (Windows) +description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,83 +11,133 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/03/2018 +ms.date: 08/08/2022 ms.technology: windows-sec --- -# Create a WDAC policy for fixed-workload devices using a reference computer +# Create a WDAC policy using a reference computer **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. - -For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. -Then create the WDAC policy by scanning the system for installed applications. -The policy file is converted to binary format when it gets created so that Windows can interpret it. - -## Overview of the process of creating Windows Defender Application Control policies - -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Windows Defender Application Control policies follow a similar methodology that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of more WDAC policies based on what should be allowed to be installed and run and for whom. For more information on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). - -Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed. - -If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity. > [!NOTE] -> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. +> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -Each installed software application should be validated as trustworthy before you create a policy. -We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. -Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. -You can remove or disable such software on the reference computer. +As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -To create a Windows Defender Application Control policy, copy each of the following commands into an elevated Windows PowerShell session, in order: +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. -1. Initialize variables that you'll use. +## Create a custom base policy using a reference device + +Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on. + +> [!NOTE] +> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.

                  Each installed software application should be validated as trustworthy before you create a policy.

                  We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer. + +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's critical infrastructure servers: + +- All devices are running Windows Server 2019 or above; +- All apps are centrally managed and deployed; +- No interactive users. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. **“Windows works”** rules that authorize: + - Windows + - WHQL (third-party kernel drivers) + - Windows Store signed apps + +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +To create the WDAC policy, Alice runs each of the following commands in an elevated Windows PowerShell session, in order: + +1. Initialize variables. ```powershell $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName="FixedWorkloadPolicy_Audit" - $WDACPolicy=$PolicyPath+$PolicyName+".xml" - $WDACPolicyBin=$PolicyPath+$PolicyName+".bin" + $LamnaServerPolicy=$PolicyPath+$PolicyName+".xml" + $DefaultWindowsPolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml" + ``` 2. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: ```powershell - New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt + New-CIPolicy -FilePath $LamnaServerPolicy -Level SignedVersion -Fallback FilePublisher,FileName,Hash -ScanPath c:\ -UserPEs -MultiplePolicyFormat -OmitPaths c:\Windows,'C:\Program Files\WindowsApps\',c:\windows.old\,c:\users\ 3> CIPolicyLog.txt ``` > [!Note] - > - > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). + > > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). - > > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the tool will scan the C-drive by default. - > + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. If you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers. In other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + > - To create a policy for Windows 10 1903 and above, including support for supplemental policies, use **-MultiplePolicyFormat**. + > - To specify a list of paths to exclude from the scan, use the **-OmitPaths** option and supply a comma-delimited list of paths. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: +3. Merge the new policy with the WindowsDefault_Audit policy to ensure all Windows binaries and kernel drivers will load. + + ```powershell + Merge-CIPolicy -OutputFilePath $LamnaServerPolicy -PolicyPaths $LamnaServerPolicy,$DefaultWindowsPolicy + ``` + +4. Give the new policy a descriptive name, and initial version number: + + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -PolicyName $PolicyName + Set-CIPolicyVersion -FilePath $LamnaServerPolicy -Version "1.0.0.0" + ``` + +5. Modify the merged policy to set policy rules: + + ```powershell + Set-RuleOption -FilePath $LamnaServerPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaServerPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaServerPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaServerPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaServerPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaServerPolicy -Option 19 # Dynamic Code Security + ``` + +6. If appropriate, add more signer or file rules to further customize the policy for your organization. + +7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: ```powershell - ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin + [xml]$LamnaServerPolicyXML = Get-Content $LamnaServerPolicy + $PolicyId = $LamnaServerPolicyXML.SiPolicy.PolicyId + $LamnaServerPolicyBin = $PolicyPath+$PolicyId+".cip" + ConvertFrom-CIPolicy $LamnaServerPolicy $LamnaServerPolicyBin ``` -After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for more security. +8. Upload the base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). -> [!NOTE] -> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). +Alice now has an initial policy for Lamna's critical infrastructure servers that is ready to deploy in audit mode. -We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md). +## Create a custom base policy to minimize user impact on in-use client devices +Alice previously created a policy for the organization's fully managed devices. Alice has included the fully managed device policy as part of Lamna's device build process so all new devices now begin with WDAC enabled. She's preparing to deploy the policy to systems that are already in use, but is worried about causing disruption to users' productivity. To minimize that risk, Alice decides to take a different approach for those systems. She'll continue to deploy the fully managed device policy in audit mode to those devices, but for enforcement mode she'll merge the fully managed device policy rules with a policy created by scanning the device for all previously installed software. In this way, each device is treated as its own "golden" system. +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed in-use devices: + +- Everything described for Lamna's [Fully Managed Devices](create-wdac-policy-for-fully-managed-devices.md); +- Users have installed apps that they need to continue to run. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. Everything included in the Fully Managed Devices policy +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +For Lamna's existing, in-use devices, Alice deploys a script along with the Fully Managed Devices policy XML (not the converted WDAC policy binary). The script then generates a custom policy locally on the client as described in the previous section, but instead of merging with the DefaultWindows policy, the script merges with Lamna's Fully Managed Devices policy. Alice also modifies the steps above to match the requirements of this different use case. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 7cd08be428..2d13639669 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -82,8 +82,9 @@ Alice follows these steps to complete this task: 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $LamnaPolicy=$PolicyPath+$PolicyName+".xml" $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` @@ -121,7 +122,9 @@ Alice follows these steps to complete this task: > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. ```powershell - $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy + $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId + $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip" ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 474a39e5dd..e1f7559c0d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -90,7 +90,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the |----------- | ----------- | | **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. | -| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. | +| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. | | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. | | **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). | | **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 3200f16f8f..07f86d0c75 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -11,10 +11,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 06/27/2022 +ms.date: 08/15/2022 ms.technology: windows-sec --- @@ -31,26 +31,29 @@ ms.technology: windows-sec Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. -Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. +> [!WARNING] +> Boot failure (blue screen) may occur if your signing certificate does not follow these rules: +> +> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). +> - Use RSA SHA-256 only. ECDSA isn't supported. +> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. +> - Keys must be less than or equal to 4K key size +> + +Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. +If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components: -- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) +- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later) -- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created - -- An internal CA code signing certificate or a purchased code signing certificate - -> [!NOTE] -> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) -> ->Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. +- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created +- An internal CA code signing certificate or a purchased code signing certificate If you don't have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, ensure you update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: @@ -64,12 +67,12 @@ If you don't have a code signing certificate, see [Optional: Create a code signi > [!NOTE] > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information. -2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the user’s personal store on the computer where the signing happens. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. 4. Navigate to your desktop as the working directory: - + ```powershell cd $env:USERPROFILE\Desktop ``` @@ -104,11 +107,11 @@ If you don't have a code signing certificate, see [Optional: Create a code signi ```powershell sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin ``` - + > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. 9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md). > [!NOTE] -> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. +> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 0d8e2466d8..4256d0a041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Control and .NET Hardening (Windows) -description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. +title: Windows Defender Application Control and .NET (Windows) +description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,30 +11,43 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 06/15/2022 +ms.date: 08/10/2022 ms.technology: windows-sec --- -# Windows Defender Application Control and .NET hardening +# Windows Defender Application Control (WDAC) and .NET -Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those sets approved by an organization. -Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. -Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. +.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it. + +The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies. + +In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events). + +To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies: + +1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature; +2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies; +3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control) for the native images + +## WDAC and .NET hardening + +Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls. +Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime. When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share. -Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. +Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. -Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries. -Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. -Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. +Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries. +Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled. +Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. -Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that. +Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that. -To enable Dynamic Code Security, add the following option to the `` section of your policy: +To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy: ```xml diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 669d4ede86..b663f72d19 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -2,28 +2,30 @@ title: Add Production Devices to the Membership Group for a Zone (Windows) description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Add Production Devices to the Membership Group for a Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 15f91730ba..9f5d3bac7c 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -2,28 +2,30 @@ title: Add Test Devices to the Membership Group for a Zone (Windows) description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Add Test Devices to the Membership Group for a Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device. diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 1a7d5dd07e..180ebf61e7 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -2,28 +2,30 @@ title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows) description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Appendix A: Sample GPO Template Files for Settings Used in this Guide -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 221490f2e9..88a28959fc 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -2,28 +2,30 @@ title: Assign Security Group Filters to the GPO (Windows) description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Assign Security Group Filters to the GPO -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index b2dfe86d3b..68b7ae50a0 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -2,27 +2,29 @@ title: Basic Firewall Policy Design (Windows) description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Basic Firewall Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization. diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index d71e89f983..db778a73a8 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -6,14 +6,20 @@ ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: maccruz -author: schmurky +ms.author: paoloma +author: paolomatarazzo ms.localizationpriority: medium -manager: dansimp +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: article ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Best practices for configuring Windows Defender Firewall diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 10fa58f666..77da6ba1be 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -2,28 +2,30 @@ title: Boundary Zone GPOs (Windows) description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Boundary Zone GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 11d52f96fe..d8077459ac 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -2,28 +2,30 @@ title: Boundary Zone (Windows) description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Boundary Zone - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above + In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 17c7175cd6..02c88fdfb7 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -2,28 +2,30 @@ title: Certificate-based Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate-based Isolation Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index e61836e9ce..c21f3ae251 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -2,28 +2,30 @@ title: Certificate-based Isolation Policy Design (Windows) description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Certificate-based isolation policy design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 88550f7f67..effdd2a70c 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -2,28 +2,30 @@ title: Change Rules from Request to Require Mode (Windows) description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Change Rules from Request to Require Mode -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index 18558ef571..d3356b14f3 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -2,28 +2,30 @@ title: Checklist Configuring Basic Firewall Settings (Windows) description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Basic Firewall Settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 36fe34357d..176d8f4536 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -2,28 +2,30 @@ title: Checklist Configuring Rules for an Isolated Server Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for an Isolated Server Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index db9e5235c2..e546b37adf 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -2,28 +2,30 @@ title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index 7e7fc7b158..55e7e19754 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -2,28 +2,30 @@ title: Checklist Configuring Rules for the Boundary Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for the Boundary Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 1d42ae70b6..5d0a18a69f 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -2,28 +2,30 @@ title: Checklist Configuring Rules for the Encryption Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for the Encryption Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 4f86220ff8..648850a336 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -2,28 +2,30 @@ title: Checklist Configuring Rules for the Isolated Domain (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Configuring Rules for the Isolated Domain -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index 373174d887..6168d455d3 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -2,28 +2,30 @@ title: Checklist Creating Group Policy Objects (Windows) description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Group Policy Objects -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index cb5f132795..57a25a4b6c 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -2,28 +2,30 @@ title: Checklist Creating Inbound Firewall Rules (Windows) description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Inbound Firewall Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index cc6976169c..879c1a55b6 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -2,28 +2,30 @@ title: Checklist Creating Outbound Firewall Rules (Windows) description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Outbound Firewall Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for creating outbound firewall rules in your GPOs. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index b6369d7c01..9094725eda 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -2,28 +2,30 @@ title: Create Rules for Standalone Isolated Server Zone Clients (Windows) description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index c9c577bc2e..6a5f00771e 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Basic Firewall Policy Design (Windows) description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Basic Firewall Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 5d59df9ccd..ce48d49c77 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows) description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Certificate-based Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 6a6f01d952..6061bc86b5 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Domain Isolation Policy Design (Windows) description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Domain Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index c484d2eec0..87364021d1 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -2,28 +2,30 @@ title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Checklist: Implementing a Standalone Server Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index b16b7adc8a..7f45ce6466 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -2,28 +2,30 @@ title: Configure Authentication Methods (Windows) description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Authentication Methods -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 99a5795add..f839c60899 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -2,28 +2,30 @@ title: Configure Data Protection (Quick Mode) Settings (Windows) description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Data Protection (Quick Mode) Settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index ef75edf628..feb3b8e3a2 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -2,28 +2,30 @@ title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows) description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Group Policy to Autoenroll and Deploy Certificates -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index d630831fe4..dd062985fe 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -2,28 +2,30 @@ title: Configure Key Exchange (Main Mode) Settings (Windows) description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Key Exchange (Main Mode) Settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index 00d5f4cd23..2a9fedfb36 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -2,20 +2,26 @@ title: Configure the Rules to Require Encryption (Windows) description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption. ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure the Rules to Require Encryption diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index 763858cb1e..acae2a5eb6 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -2,28 +2,30 @@ title: Configure the Windows Defender Firewall Log (Windows) description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC. ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure the Windows Defender Firewall with Advanced Security Log -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index ae802dff45..7f4b8057f3 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -2,25 +2,27 @@ title: Configure the Workstation Authentication Template (Windows) description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 -ms.reviewer: -manager: dansimp -ms.author: dansimp +ms.reviewer: jekrynit +manager: aaroncz +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +author: paolomatarazzo ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure the Workstation Authentication Certificate Template -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index da729a7b63..81905439d5 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -2,28 +2,30 @@ title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 45aac5c3bd..e23f800b1e 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -2,28 +2,30 @@ title: Confirm That Certificates Are Deployed Correctly (Windows) description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: securit ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Confirm That Certificates Are Deployed Correctly -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index a3b8bcee88..603fb772d6 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -2,28 +2,30 @@ title: Copy a GPO to Create a New GPO (Windows) description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Copy a GPO to Create a New GPO -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index 7f5899e2f5..f3f7a3bb1b 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -2,28 +2,30 @@ title: Create a Group Account in Active Directory (Windows) description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create a Group Account in Active Directory -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index c1f6da0c2a..8926c70552 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -2,28 +2,30 @@ title: Create a Group Policy Object (Windows) description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create a Group Policy Object -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index 513807383f..a2ad8d6f6c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -2,28 +2,30 @@ title: Create an Authentication Exemption List Rule (Windows) description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Authentication Exemption List Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 037a451dee..99d3d07f46 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -2,20 +2,26 @@ title: Create an Authentication Request Rule (Windows) description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Authentication Request Rule diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index da5b7f7f20..76b063f72d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -2,28 +2,30 @@ title: Create an Inbound ICMP Rule (Windows) description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Inbound ICMP Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 93586077a2..56a7c6808c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -2,28 +2,30 @@ title: Create an Inbound Port Rule (Windows) description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Inbound Port Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index bb976db9c3..1d6f3352d0 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -2,28 +2,30 @@ title: Create an Inbound Program or Service Rule (Windows) description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Inbound Program or Service Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index 11f38ec926..9c6df54f31 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -2,28 +2,30 @@ title: Create an Outbound Port Rule (Windows) description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Outbound Port Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index ec94f13e2b..79eb7dda0d 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,24 +1,26 @@ --- title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create an Outbound Program or Service Rule -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 4d05d75092..2fec297236 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,24 +1,26 @@ --- title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create Inbound Rules to Support RPC -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 7f460e4af8..3b6a633dbf 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,23 +1,25 @@ --- title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create Windows Firewall rules in Intune -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above >[!IMPORTANT] >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 1b2931e18d..2bdb97ef09 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,24 +1,26 @@ --- title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Create WMI Filters for the GPO -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index a245dc4589..0b2d46c86c 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,24 +1,26 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Designing a Windows Defender Firewall with Advanced Security Strategy -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 8ba54573da..7cc8bd8b35 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,24 +1,26 @@ --- title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Determining the Trusted State of Your Devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this communication can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 2215134491..95dc6e163c 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,24 +1,26 @@ --- title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Documenting the Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Generally, the task of determining zone membership isn't complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 2370992ec2..82b302fd7b 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,24 +1,26 @@ --- title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Domain Isolation Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 50640ef245..340f62976e 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,24 +1,26 @@ --- title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Domain Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 307d2e17e0..123058b8dd 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,24 +1,26 @@ --- title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Enable Predefined Inbound Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index d0ee50b518..000488608e 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,24 +1,26 @@ --- title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Enable Predefined Outbound Rules -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically doesn't enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index 90e93ba044..bcca4ec64f 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,24 +1,26 @@ --- title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Encryption Zone GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 3427f8825c..7038a7f49d 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,24 +1,26 @@ --- title: Encryption Zone (Windows) description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Encryption Zone -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Some servers in the organization host data that's sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it's transferred between devices. diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 9cd638e39c..3096a8342b 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,24 +1,26 @@ --- title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) description: Evaluating Windows Defender Firewall with Advanced Security Design Examples -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Evaluating Windows Defender Firewall with Advanced Security Design Examples -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index dee6778a40..d6de9a861d 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,24 +1,26 @@ --- title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Exempt ICMP from Authentication -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index 487eb1a25d..ac27c34d95 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,24 +1,26 @@ --- title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Exemption List -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above When you implement a server and domain isolation security model in your organization, you're likely to find more challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers can't require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 73db668581..f13a1094ec 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -1,17 +1,23 @@ --- title: Filter origin audit log improvements description: Filter origin documentation audit log improvements -ms.reviewer: -ms.author: v-bshilpa +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: normal -author: Benny-54 -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: - m365-security-compliance - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Filter origin audit log improvements diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index acce618f02..80b417b9a0 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,24 +1,26 @@ --- title: Firewall GPOs (Windows) description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Firewall GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 71610970dc..d52cb81f95 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,24 +1,26 @@ --- title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Basic Firewall Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In this example, the fictitious company Woodgrove Bank is a financial services institution. diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md index 777d827e77..9d3ccfc6b4 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -1,17 +1,23 @@ --- title: Troubleshooting Windows Firewall settings after a Windows upgrade description: Firewall settings lost on upgrade -ms.reviewer: -ms.author: v-bshilpa +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: Benny-54 -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: - m365-security-compliance - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Troubleshooting Windows Firewall settings after a Windows upgrade diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index da7ae54f60..8725d0c4ed 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,24 +1,26 @@ --- title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Information about Your Active Directory Deployment -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Active Directory is another important item about which you must gather information. You must understand the forest structure. This structure includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 1477bbc36c..bfe7c5a55b 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,24 +1,26 @@ --- title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Information about Your Current Network Infrastructure -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 6cdefe354a..eb25dfbbce 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,24 +1,26 @@ --- title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Information about Your Devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index 7f6cefda53..27ebec7226 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,24 +1,26 @@ --- title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering Other Relevant Information -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This topic discusses several other things that you should examine to see whether they'll cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index f009728af3..5f8c2be8fe 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,24 +1,26 @@ --- title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Gathering the Information You Need -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information isn't accurate, problems can occur when devices and devices that weren't considered during the planning phase are encountered during implementation. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index 9d4cea8c27..a9b3bb3f08 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,24 +1,26 @@ --- title: GPO\_DOMISO\_Boundary (Windows) description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_Boundary -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index a325feb5ed..9849e51f4d 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,16 +1,22 @@ --- title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. -ms.reviewer: -ms.author: dansimp -author: dansimp -manager: dansimp +ms.reviewer: jekrynit +ms.author: paoloma +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.prod: m365-security ms.localizationpriority: medium ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_Encryption\_WS2008 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 6cd30ab0e7..c50f026cc3 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,24 +1,26 @@ --- title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_Firewall -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index be3ef61a55..40f53282db 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,24 +1,26 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_IsolatedDomain\_Clients -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index 3e4b545348..cd7824dccc 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,24 +1,26 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # GPO\_DOMISO\_IsolatedDomain\_Servers -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index da1df7152e..393ecebb5b 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,23 +1,25 @@ --- title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Identifying Windows Defender Firewall with Advanced Security implementation goals -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index e99fb5bdc3..663cee3cb9 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,24 +1,26 @@ --- title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Implementing Your Windows Defender Firewall with Advanced Security Design Plan -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The following are important factors in the implementation of your Windows Defender Firewall design plan: diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index b2b51c8bed..d15da4ef92 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,24 +1,26 @@ --- title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Isolated Domain GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index ab40a0617d..16663963fe 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,16 +1,22 @@ --- title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Isolated Domain diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index 94c2d1efc2..4da13f6712 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -3,22 +3,24 @@ title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Isolating Microsoft Store Apps on Your Network -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 27ca0787a6..50361255a5 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,24 +1,26 @@ --- title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Link the GPO to the Domain -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index e14954cb74..b729a362be 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,24 +1,26 @@ --- title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Mapping your implementation goals to a Windows Firewall with Advanced Security design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. > [!IMPORTANT] diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 20c89d309f..ce5e5032ad 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,24 +1,26 @@ --- title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Modify GPO Filters to Apply to a Different Zone or Version of Windows -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 27d55010fe..2a59a2ec1e 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,24 +1,26 @@ --- title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Open the Group Policy Management Console to IP Security Policies -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 6b414fd0e1..fbbda89fb9 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,24 +1,26 @@ --- title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Group Policy Management of Windows Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 7c1ef5c3ab..548d290e41 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,24 +1,26 @@ --- title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Group Policy Management of Windows Defender Firewall -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To open a GPO to Windows Defender Firewall: diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 31a3fba50f..7d3b9aafd8 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,24 +1,26 @@ --- title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Open Windows Defender Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index 0e6eba3376..6ed68f701c 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,24 +1,26 @@ --- title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Certificate-based Authentication -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Sometimes a device can't join an Active Directory domain, and therefore can't use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index 1df3ac69c7..0edcdd46c3 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,24 +1,26 @@ --- title: Planning Domain Isolation Zones (Windows) description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Domain Isolation Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 356ce2a71e..12a6970f24 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,24 +1,26 @@ --- title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning GPO Deployment -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index a4b877a50f..a63f2b239f 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,24 +1,26 @@ --- title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Group Policy Deployment for Your Isolation Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you've decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 3b9d484653..ee193d5c3d 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,24 +1,26 @@ --- title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Isolation Groups for the Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group that represents that zone. diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index a46279468a..ebc3e779ce 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,24 +1,26 @@ --- title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Network Access Groups -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index 9e0486133d..6cdcc36dc6 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,24 +1,26 @@ --- title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Server Isolation Zones -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index 6f5c67f5bd..f4bcdca804 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,24 +1,26 @@ --- title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Settings for a Basic Firewall Policy -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index c61cc01904..1a921ebe00 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,24 +1,26 @@ --- title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning the GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index b2922c2dd6..1411d23007 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,24 +1,26 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning to Deploy Windows Defender Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 3c54199363..9d104e67c2 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,24 +1,26 @@ --- title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Planning Your Windows Defender Firewall with Advanced Security Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you've gathered the relevant information in the previous sections, and understood the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index 8c98be2b77..b12f025700 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,24 +1,26 @@ --- title: Procedures Used in This Guide (Windows) description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Procedures Used in This Guide -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 0ae3e5785f..e143a06c23 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,24 +1,26 @@ --- title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/18/2022 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Protect devices from unwanted network traffic -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall can't protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable devices are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index debe26322b..c914408573 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -1,16 +1,22 @@ --- title: Quarantine behavior description: Quarantine behavior is explained in detail. -ms.author: v-bshilpa -author: Benny-54 -manager: dansimp -ms.reviewer: +ms.author: paoloma +author: paolomatarazzo +manager: aaroncz +ms.reviewer: jekrynit ms.prod: m365-security ms.localizationpriority: normal ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Quarantine behavior diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 92a170d7ef..eda42f13e6 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,24 +1,26 @@ --- title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Require Encryption When Accessing Sensitive Network Resources -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it doesn't prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets aren't encrypted. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index f9a9247b52..1b7a5eef66 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,24 +1,26 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Restrict Access to Only Specified Users or Computers -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 6f48e70c2f..83e9ef9191 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,24 +1,26 @@ --- title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Restrict access to only trusted devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that aren't owned by your organization to your network. Because you don't manage those devices, you can't trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it's truly required. diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index d405ae9ad9..ccd8c1f678 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,24 +1,26 @@ --- title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Restrict Server Access to Members of a Group Only -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index e43a977d74..5de4aeebab 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -3,22 +3,24 @@ title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 20 description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Securing End-to-End IPsec connections by using IKEv2 -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above IKEv2 offers the following: diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index 6c2574d928..15f710e53b 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,24 +1,26 @@ --- title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Server Isolation GPOs -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index bfade02b3c..f920003a00 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,24 +1,26 @@ --- title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Server Isolation Policy Design Example -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 91160b8e0a..5dc27f7b43 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,24 +1,26 @@ --- title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Server Isolation Policy Design -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index a0116d71eb..9796a30b9e 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -1,17 +1,23 @@ --- title: Troubleshooting UWP App Connectivity Issues in Windows Firewall description: Troubleshooting UWP App Connectivity Issues in Windows Firewall -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: - m365-security-compliance - m365-initiative-windows-security ms.topic: troubleshooting ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Troubleshooting UWP App Connectivity Issues diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 64a55b790e..72d9d7fa43 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,24 +1,26 @@ --- title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index dd58d0c8d0..e924d932ea 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -3,14 +3,20 @@ title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Understanding the Windows Defender Firewall with Advanced Security Design Process diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 3f49bc068c..9359451826 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,24 +1,26 @@ --- title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Verify That Network Traffic Is Authenticated -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above After you've configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 7173220848..14a6de27f4 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -3,22 +3,24 @@ title: Windows Defender Firewall with Advanced Security Administration with Wind description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index f0ec1fb9dc..b2d5a9b049 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,24 +1,26 @@ --- title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security deployment overview -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 791816f439..b23f7bc963 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,24 +1,26 @@ --- title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. -ms.reviewer: -ms.author: dansimp +ms.reviewer: jekrynit +ms.author: paoloma ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -manager: dansimp +author: paolomatarazzo +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security design guide -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't authenticate can't communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 297a720a7a..dc08cf7455 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -3,23 +3,25 @@ title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: m365-security ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 -ms.reviewer: +ms.reviewer: jekrynit ms.custom: asr ms.technology: windows-sec +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 +- ✅ Windows Server 2019 +- ✅ Windows Server 2022 --- # Windows Defender Firewall with Advanced Security -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This topic is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.