From 30c3745e3b9ef053cc31566577a94074d0a5a1d6 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:22:52 -0700 Subject: [PATCH 01/22] Update docfx.json "contributors to exclude" --- windows/privacy/docfx.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 44e5b9392e..9c6e2c525d 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -58,6 +58,9 @@ "tiburd", "garycentric", "beccarobins" + "v-stchambers", + "v-stsavell", + "American-Dipper" ] }, "searchScope": ["Windows 10"] From 36a61a9645939ece91c61c03df0ee23d04153871 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:24:48 -0700 Subject: [PATCH 02/22] Update docfx.json "contributors to exclude" --- windows/whats-new/docfx.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 036ef0bfa2..0c5f721e90 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -59,7 +59,10 @@ "jborsecnik", "tiburd", "garycentric", - "beccarobins" + "beccarobins", + "v-stchambers", + "v-stsavell", + "American-Dipper" ], "searchScope": ["Windows 10"] }, From 631568176a233c5f50d2f56660c95affefdb4a45 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:26:00 -0700 Subject: [PATCH 03/22] Update docfx.json "contributors to exclude" --- store-for-business/docfx.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index f0006e84b3..283ac81b83 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -67,7 +67,9 @@ "v-dihans", "garycentric", "v-stsavell", - "beccarobins" + "beccarobins", + "v-stchambers", + "American-Dipper" ] }, "fileMetadata": {}, From 12b0c54464619dd9adc1300c0f5d1c017383fb6f Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:27:04 -0700 Subject: [PATCH 04/22] Update docfx.json "contributors to exclude" --- windows/deployment/docfx.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index d718ec36aa..a076f8b3fd 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -58,7 +58,10 @@ "jborsecnik", "tiburd", "garycentric", - "beccarobins" + "beccarobins", + "v-stchambers", + "v-stsavell", + "American-Dipper" ], "searchScope": ["Windows 10"] }, From 513b3eb91171a5e2ce6d2b0280b960448aff1983 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:33:34 -0700 Subject: [PATCH 05/22] Update docfx.json --- windows/privacy/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 9c6e2c525d..94c80870bb 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -57,7 +57,7 @@ "jborsecnik", "tiburd", "garycentric", - "beccarobins" + "beccarobins", "v-stchambers", "v-stsavell", "American-Dipper" From 2d6fe6a795b958d76cef0a99eaa134f99edeaa1f Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:27:12 -0700 Subject: [PATCH 06/22] Update docfx.json --- store-for-business/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 283ac81b83..c73c690b68 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -68,7 +68,7 @@ "garycentric", "v-stsavell", "beccarobins", - "v-stchambers", + "Stacyrch140", "American-Dipper" ] }, From bea69ef1c478ba6e4be3bd983c350fd954733915 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:27:32 -0700 Subject: [PATCH 07/22] Update docfx.json --- windows/deployment/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index a076f8b3fd..c9f6a5f653 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -59,7 +59,7 @@ "tiburd", "garycentric", "beccarobins", - "v-stchambers", + "Stacyrch140", "v-stsavell", "American-Dipper" ], From f351847637d3bc18471dcad6e9edb6697d4a0238 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:28:21 -0700 Subject: [PATCH 08/22] Update docfx.json --- windows/whats-new/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 0c5f721e90..ec64e498bc 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -60,7 +60,7 @@ "tiburd", "garycentric", "beccarobins", - "v-stchambers", + "Stacyrch140", "v-stsavell", "American-Dipper" ], From 30da5adced8b0f1d39260d33b1caa8a8b1c1e353 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:29:10 -0700 Subject: [PATCH 09/22] Update docfx.json --- windows/privacy/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 94c80870bb..f4854fbb05 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -58,7 +58,7 @@ "tiburd", "garycentric", "beccarobins", - "v-stchambers", + "Stacyrch140", "v-stsavell", "American-Dipper" ] From e583ceccb2d8aeacc67fb456483c9875d94dcc17 Mon Sep 17 00:00:00 2001 From: Terry Warwick Date: Tue, 24 Oct 2023 13:05:23 -0700 Subject: [PATCH 10/22] Update lock-down-windows-11-to-specific-apps.md Commented out the coming soon section as it is causing customer issues Updated the WMI Bridge step by step instructions to remove ambiguity Updated the Sample PowerShell and XML snip-its since the existing samples were broken. I would really like to refactor this topic into a quickstart that leverages a canned sample with a separate XML reference that is combined with the existing XML reference topic, but that is going to require more time. --- .../lock-down-windows-11-to-specific-apps.md | 72 +++++++++++++------ 1 file changed, 51 insertions(+), 21 deletions(-) diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md index 80c498eb6e..03ae4c3aed 100644 --- a/windows/configuration/lock-down-windows-11-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md @@ -15,7 +15,7 @@ ms.topic: how-to **Applies to** -- Windows 11 Pro, Enterprise, and Education +- Windows 11 Pro, Enterprise, IoT Enterprise and Education > [!NOTE] > The use of multiple monitors is supported for multi-app kiosk mode in Windows 11. @@ -35,8 +35,12 @@ See the table below for the different methods to configure a multi-app kiosk in |Configuration Method|Availability| |--------------------|------------| |[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023| + + > [!NOTE] > For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below. @@ -319,42 +323,69 @@ Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/ Here's an example of how to set AssignedAccess configuration: 1. Download the [psexec tool](/sysinternals/downloads/psexec). -2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -4. Run the following script replacing the placeholder "your XML here, with the [XML](#create-the-xml-file) you created above. +1. Using an elevated command prompt, run `psexec.exe -i -s cmd.exe`. +1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. +1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step. -```xml -$nameSpaceName="root\cimv2\mdm\dmmap" +```powershell +$eventLogFilterHashTable = @{ + ProviderName = "Microsoft-Windows-AssignedAccess"; + StartTime = Get-Date -Millisecond 0 +} + +$namespaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -Add-Type -AssemblyName System.Web -$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@" "@) -Set-CimInstance -CimInstance $obj +$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue +if($cimSetError) { + Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" + Write-Error -ErrorRecord $cimSetError[0] + + $timeout = New-TimeSpan -Seconds 30 + $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + do{ + $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore + } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available + + if($events.Count) { + $events | ForEach-Object { + Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" + } + } else { + Write-Warning "Timed-out attempting to retrieve event logs..." + } + + Exit 1 +} + +Write-Output "Successfully applied Assigned Access configuration" ``` + ## Sample Assigned Access XML -Compare the below to your XML file to check for correct formatting. +This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11. ```xml + xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" + xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config"> - - - - - + + + + @@ -362,11 +393,10 @@ Compare the below to your XML file to check for correct formatting. { "pinnedList":[ {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}, {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"}, - {"packagedAppId":"Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic"}, - {"packagedAppId":"Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo"}, {"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"}, - {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Paint.lnk"}, - {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Notepad.lnk"} + {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"}, + {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"}, + {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"} ] } ]]> @@ -379,5 +409,5 @@ Compare the below to your XML file to check for correct formatting. - + ``` From 3a7b853087a471cd01e7dbd60b51bcc5ef7fe811 Mon Sep 17 00:00:00 2001 From: jasonepperly <31452365+jasonepperly@users.noreply.github.com> Date: Tue, 31 Oct 2023 16:50:57 -0400 Subject: [PATCH 11/22] Update deployment-service-overview.md fixed missing space --- windows/deployment/update/deployment-service-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 58d36aae43..b3fa2680c5 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -27,7 +27,7 @@ Windows Update for Business product family has three elements: - [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment - Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell) -The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md). +The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the [Windows Update for Business reports workbook](wufb-reports-workbook.md). :::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family."::: From c283543a6644bed1c279ca3c449af07aff9d1a59 Mon Sep 17 00:00:00 2001 From: Chad Duffey <7192541+chadduffey@users.noreply.github.com> Date: Wed, 1 Nov 2023 13:01:18 +1100 Subject: [PATCH 12/22] Update secure-the-windows-10-boot-process.md small typo "advanted" -> "advantage" --- .../system-security/secure-the-windows-10-boot-process.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index b0da2402b2..b1bfa3ebb1 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -121,7 +121,7 @@ Figure 2 illustrates the Measured Boot and remote attestation process. *Figure 2. Measured Boot proves the PC's health to a remote server*: -Windows includes the application programming interfaces to support Measured Boot. However, to take advanted of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research: +Windows includes the application programming interfaces to support Measured Boot. However, to take advantage of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research: - [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487) - [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr) From 839d8a8ec768578bb2dcd1a2881bc21db4ea0dda Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 1 Nov 2023 09:34:12 -0700 Subject: [PATCH 13/22] temp ctrl 23h2 updates --- .../temporary-enterprise-feature-control.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index 65ebf38755..122c8a1f8f 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -8,7 +8,7 @@ author: mestew manager: aaroncz ms.localizationpriority: medium ms.topic: reference -ms.date: 09/26/2023 +ms.date: 11/01/2023 ms.collection: - highpri - tier2 @@ -39,7 +39,7 @@ Features that are behind temporary enterprise control will be enabled when one o ### Policy settings for temporary enterprise feature control -You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: +You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/kb/5022845) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** @@ -52,12 +52,12 @@ The following features are behind temporary enterprise control in Windows 11: | Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes | |---|---|---|---| -| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | | -| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | | -| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control:

**CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight)

**Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**| -| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. | -| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` | -|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section | +| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | | +| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | | +| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature also has a permanent control:

**CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight)

**Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**| +| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. | +| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | `Get-AppxPackage -Name Microsoft.Windows.DevHome` | +| Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section | ## Permanent enterprise feature control @@ -69,7 +69,7 @@ The following features introduced through the monthly cumulative updates allow p | Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy | |---|---|---|---| -| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)

**Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**| +| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)

**Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**| | The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start)

**Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**| | **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems)

**Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View**

**Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. | | Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)| From 1281037e96104d05be823d6609d1128af30819b2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 1 Nov 2023 09:55:08 -0700 Subject: [PATCH 14/22] temp ctrl 23h2 updates --- windows/whats-new/whats-new-windows-11-version-23h2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md index cb43e39852..a6c474e939 100644 --- a/windows/whats-new/whats-new-windows-11-version-23h2.md +++ b/windows/whats-new/whats-new-windows-11-version-23h2.md @@ -36,7 +36,7 @@ To learn more about the status of the update rollout, known issues, and new info [Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -When a manged Windows 11, version 22H2 device installs version 23H2, the following features will no longer under be under temporary enterprise feature control: +When a manged Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control: | Feature | KB article where the feature was introduced | |---|---| From ce0369368d460ceabf8206e988c11c7078232f60 Mon Sep 17 00:00:00 2001 From: scottmca <89857809+scottmca@users.noreply.github.com> Date: Wed, 1 Nov 2023 13:41:45 -0400 Subject: [PATCH 15/22] Update plan-for-volume-activation-client.md clarified token activation section --- .../volume-activation/plan-for-volume-activation-client.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 1cc96ae7ed..71a14f511f 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -16,6 +16,7 @@ ms.date: 11/07/2022 **Applies to:** +- Windows 11 - Windows 10 - Windows 8.1 - Windows 8 @@ -87,8 +88,7 @@ Telephone activation is primarily used in situations where a computer is isolate - Active Directory-based activation > [!NOTE] -> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative. -Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607). +> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative. ### Multiple activation key From 51160c563f0f6806bc418b4af99b8a3de177550f Mon Sep 17 00:00:00 2001 From: Justin Piesco <107575186+JustPies@users.noreply.github.com> Date: Wed, 1 Nov 2023 14:34:14 -0400 Subject: [PATCH 16/22] rebrand updates --- ...rosoft-store-for-business-education-powershell-module.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index 2cd07840b0..cc4aa9686d 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -9,7 +9,7 @@ author: cmcatee-MSFT manager: scotv ms.topic: conceptual ms.localizationpriority: medium -ms.custom: has-azure-ad-ps-ref +ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done ms.date: 05/24/2023 ms.reviewer: --- @@ -36,7 +36,7 @@ You can use the PowerShell module to: - Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses >[!NOTE] ->Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments. +>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID or [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments. ## Requirements To use the Microsoft Store for Business and Education PowerShell module, you'll need: @@ -77,7 +77,7 @@ To authorize the PowerShell module, run this command. You'll need to sign-in wit Grant-MSStoreClientAppAccess ``` -You will be prompted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used. +You will be prompted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Microsoft Graph PowerShell cmdlets are loaded and ready to be used. ## View items in Products and Services Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview. From fc61671915d055aeb67675d58b4da4bd540846e9 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 2 Nov 2023 07:45:38 -0400 Subject: [PATCH 17/22] updat to licensing table --- includes/licensing/federated-sign-in.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md index 701d2a3bde..35e8f24701 100644 --- a/includes/licensing/federated-sign-in.md +++ b/includes/licensing/federated-sign-in.md @@ -17,6 +17,6 @@ Federated sign-in license entitlements are granted by the following licenses: |Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| -|Yes|Yes|Yes|No|No| +|Yes|No|No|Yes|Yes| For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). From fdf132a741fe0779263aac84824a9f8d6d379e59 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 2 Nov 2023 07:58:46 -0400 Subject: [PATCH 18/22] Acrolinx --- .../windows/take-a-test-app-technical.md | 22 +++++----- education/windows/windows-11-se-overview.md | 40 +++++++++---------- includes/licensing/_licensing-requirements.md | 4 +- 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index da1540090d..2a2cb88081 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -1,7 +1,7 @@ --- title: Take a Test app technical reference description: List of policies and settings applied by the Take a Test app. -ms.date: 03/31/2023 +ms.date: 11/02/2024 ms.topic: reference --- @@ -11,11 +11,11 @@ Take a Test is an application that locks down a device and displays an online as Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments. -Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api). +Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test JavaScript API](/windows/uwp/apps-for-education/take-a-test-api). ## PC lock-down for assessment - When the assessment page initiates lock-down, the student's desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied. + When the assessment page initiates lock-down, the student's desktop is locked and the app executes above the Windows lock screen. This provides a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test applies local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied. When running above the lock screen: @@ -25,7 +25,7 @@ When running above the lock screen: - System clipboard is cleared - Web apps can query the processes currently running in the user's device - Extended display shows up as black -- Auto-fill is disabled +- Autofill is disabled ## Mobile device management (MDM) policies @@ -36,7 +36,7 @@ When Take a Test is running, the following MDM policies are applied to lock down | AllowToasts | Disables toast notifications from being shown | 0 | | AllowAppStoreAutoUpdate | Disables automatic updates for Store apps that are installed on the PC | 0 | | AllowDeviceDiscovery | Disables UI for screen sharing | 0 | -| AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 | +| AllowInput Panel | Disables the onscreen keyboard, which disables autofill | 0 | | AllowCortana | Disables Cortana functionality | 0 | | AllowAutoupdate | Disables Windows Update from starting OS updates | 5 | @@ -77,21 +77,21 @@ When permissive mode is triggered in lock-down mode, Take a Test transitions fro When running tests in this mode, keep the following points in mind: - Permissive mode isn't supported in kiosk mode (dedicated test account) -- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode +- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it launches in permissive mode ## Troubleshoot Take a Test with the event viewer -You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when a lock-down request has been received, device enrollment has succeeded, lock-down policies were successfully applied, and more. +You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when it receives a lock-down request, device enrollment succeedes, lock-down policies are successfully applied, and more. To enable viewing events in the Event Viewer: -1. Open the `Event Viewer` -1. Navigate to `Applications and Services Logs > Microsoft > Windows > Management-SecureAssessment` -1. Select `Operational` > `Enable Log` +1. Open the Event Viewer +1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Management-SecureAssessment** +1. Select **Operational** > **Enable Log** To save the event logs: -1. Select `Operational` > `Save All Events As…` +1. Select **Operational** > **Save All Events As…** ## Learn more diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 85683ac20e..2fd353ae04 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -2,7 +2,7 @@ title: Windows 11 SE Overview description: Learn about Windows 11 SE, and the apps that are included with the operating system. ms.topic: overview -ms.date: 08/03/2023 +ms.date: 11/02/2023 appliesto: - ✅ Windows 11 SE ms.collection: @@ -13,7 +13,7 @@ ms.collection: # Windows 11 SE Overview -Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately). +Windows 11 SE is an edition of Windows designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: @@ -35,8 +35,8 @@ The following table lists the different application types available in Windows o | --- | --- | :---: | ---| |Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.| | Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. | -|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.| -|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.| +|`Win32`| `Win32` applications are Windows classic applications that might require installation |⛔| If users try to install or execute `Win32` applications that aren't allowed to run, they fail.| +|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and might require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.| > [!IMPORTANT] > If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications). @@ -48,33 +48,33 @@ The following table lists all the applications included in Windows 11 SE and the | App name | App type | Pinned to Start? | Pinned to taskbar? | |:-----------------------------|:--------:|:----------------:|:------------------:| | Alarm & Clock | UWP | | | -| Calculator | UWP | ✅ | | -| Camera | UWP | ✅ | | -| Microsoft Edge | `Win32` | ✅ | ✅ | -| Excel | `Win32` | ✅ | | +| Calculator | UWP | ✅ | | +| Camera | UWP | ✅ | | +| Microsoft Edge | `Win32` | ✅ | ✅ | +| Excel | `Win32` | ✅ | | | Feedback Hub | UWP | | | -| File Explorer | `Win32` | | ✅ | +| File Explorer | `Win32` | | ✅ | | FlipGrid | PWA | | | | Get Help | UWP | | | -| Media Player | UWP | ✅ | | +| Media Player | UWP | ✅ | | | Maps | UWP | | | | Minecraft: Education Edition | UWP | | | | Movies & TV | UWP | | | | News | UWP | | | -| Notepad | `Win32` | | | -| OneDrive | `Win32` | | | -| OneNote | `Win32` | ✅ | | -| Outlook | PWA | ✅ | | -| Paint | `Win32` | ✅ | | +| Notepad | `Win32` | | | +| OneDrive | `Win32` | | | +| OneNote | `Win32` | ✅ | | +| Outlook | PWA | ✅ | | +| Paint | `Win32` | ✅ | | | Photos | UWP | | | -| PowerPoint | `Win32` | ✅ | | -| Settings | UWP | ✅ | | +| PowerPoint | `Win32` | ✅ | | +| Settings | UWP | ✅ | | | Snip & Sketch | UWP | | | | Sticky Notes | UWP | | | -| Teams | `Win32` | ✅ | | +| Teams | `Win32` | ✅ | | | To Do | UWP | | | -| Whiteboard | UWP | ✅ | | -| Word | `Win32` | ✅ | | +| Whiteboard | UWP | ✅ | | +| Word | `Win32` | ✅ | | ## Available applications diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md index 780ba51ff0..e87793d3af 100644 --- a/includes/licensing/_licensing-requirements.md +++ b/includes/licensing/_licensing-requirements.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 09/18/2023 +ms.date: 11/02/2023 ms.topic: include --- @@ -30,7 +30,7 @@ ms.topic: include |**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes| |**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes| |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes| -|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌| +|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes| |**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes| |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes| |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes| From 4d3703e37e1733394173fbee008fd9e4518a6e99 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 2 Nov 2023 08:01:45 -0400 Subject: [PATCH 19/22] Acrolinx --- education/windows/take-a-test-app-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 2a2cb88081..6f974b8e47 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -81,7 +81,7 @@ When running tests in this mode, keep the following points in mind: ## Troubleshoot Take a Test with the event viewer -You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when it receives a lock-down request, device enrollment succeedes, lock-down policies are successfully applied, and more. +You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when it receives a lock-down request, device enrollment completes, lock-down policies are successfully applied, and more. To enable viewing events in the Event Viewer: From 6f9a3343d3be1900b72323263f5c5f266f5cf351 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 2 Nov 2023 08:02:10 -0400 Subject: [PATCH 20/22] Fixed date --- education/windows/take-a-test-app-technical.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 6f974b8e47..0ce7bc976a 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -1,7 +1,7 @@ --- title: Take a Test app technical reference description: List of policies and settings applied by the Take a Test app. -ms.date: 11/02/2024 +ms.date: 11/02/2023 ms.topic: reference --- From e58c85d397b3b555df2606a1c4f5c520034d35ba Mon Sep 17 00:00:00 2001 From: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com> Date: Thu, 2 Nov 2023 11:24:29 -0400 Subject: [PATCH 21/22] pencil --- education/windows/take-a-test-app-technical.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 0ce7bc976a..f7c44f77e7 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -61,7 +61,7 @@ When Take a Test is running, the following functionality is available to student - Magnifier is available through Win++ - The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements: - Take a Test - - Assistive technology that may be running + - Assistive technology that might be running - Lock screen (not available if student is using a dedicated test account) > [!NOTE] @@ -95,4 +95,4 @@ To save the event logs: ## Learn more -[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api) \ No newline at end of file +[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api) From 573e102ddd36e8c6241af9839ce02f04c169ecf8 Mon Sep 17 00:00:00 2001 From: Kevin Sheehan <116211220+kbsheehan@users.noreply.github.com> Date: Thu, 2 Nov 2023 15:09:36 -0400 Subject: [PATCH 22/22] Update manage-windows-copilot.md Fixed URI --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index bc4adbca9d..aeaad6dc3b 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -19,7 +19,7 @@ This policy setting allows you to turn off Copilot in Windows. If you enable thi | | Setting | |------------------|---------------------------------------------------------------------------------------------------------| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |