diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index d36533a87e..361003c659 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -28,6 +28,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index f52e815de7..626d8e7d35 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,6 +24,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.topic": "article", diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index 912ce707bd..2ba0956295 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -1,16 +1,12 @@ --- author: aczechowski ms.author: aaroncz -ms.date: 12/16/2022 +ms.date: 02/14/2023 ms.reviewer: cathask manager: aaroncz ms.prod: ie11 ms.topic: include --- -> [!WARNING] -> **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023. -> -> We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption. -> -> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). +> [!CAUTION] +> **Update:** The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). diff --git a/education/docfx.json b/education/docfx.json index fa2265b104..993809eee6 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -29,7 +29,10 @@ "globalMetadata": { "recommendations": true, "ms.topic": "article", - "ms.collection": "education", + "ms.collection": [ + "education", + "tier2" + ], "ms.prod": "windows-client", "ms.technology": "itpro-edu", "author": "paolomatarazzo", diff --git a/education/index.yml b/education/index.yml index ef45124188..29efffa3ae 100644 --- a/education/index.yml +++ b/education/index.yml @@ -45,7 +45,7 @@ productDirectory: text: Azure information protection deployment acceleration guide - url: /defender-cloud-apps/get-started text: Microsoft Defender for Cloud Apps - - url: /microsoft-365/compliance/create-test-tune-dlp-policy + - url: /microsoft-365/compliance/information-protection#prevent-data-loss text: Data loss prevention - url: /microsoft-365/compliance/ text: Microsoft Purview compliance diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 0901d32b40..c6fc526cd0 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 1826ecd768..fea632b61a 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -7,6 +7,9 @@ author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma manager: jeffbu +ms.collection: + - tier3 + - education appliesto: - ✅ Windows 10 and later --- diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index f377a4582c..a134019d38 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- @@ -147,7 +148,7 @@ Existing Azure AD domain joined devices will be changed to Windows 10 Pro Educat ### For new devices that are not Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. -#### Step 1: Join users’ devices to Azure AD +#### Step 1: Join users' devices to Azure AD Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703. diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 5198c4f4d6..60ad9dce9e 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,7 +1,7 @@ --- title: Configure federation between Google Workspace and Azure AD description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. -ms.date: 01/17/2023 +ms.date: 02/10/2023 ms.topic: how-to --- @@ -42,7 +42,7 @@ To test federation, the following prerequisites must be met: 1. On the *Service provider details* page - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\ + - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\ If using Google auto-provisioning, select **Basic Information > Primary email** - Select **Continue** 1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 023393a04f..56094c8023 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Configure Stickers for Windows 11 SE diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 09ceb1908c..0ea3ad5e3d 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -5,6 +5,10 @@ ms.date: 01/12/2023 ms.topic: how-to appliesto: - ✅ Windows 11 SE +ms.collection: + - highpri + - tier1 + - education --- diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 903d8182e3..53ac374a11 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Get Minecraft: Education Edition diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index fca31b0f6b..150285950b 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # For IT administrators - get Minecraft: Education Edition @@ -34,7 +35,7 @@ If you turn off this setting after students have been using Minecraft: Education Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies). -If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). +If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). ### Minecraft: Education Edition - direct purchase @@ -48,7 +49,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 5. Select the quantity of licenses you would like to purchase and select **Place Order**. -6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). +6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). @@ -57,7 +58,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Buy o Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: - Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. -- You’ll receive an email with a link to Microsoft Store for Education. +- You'll receive an email with a link to Microsoft Store for Education. - Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) ## Minecraft: Education Edition payment options diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index df19ac8729..f11f1f684a 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 06e17f21da..eaeda25979 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Test Windows 10 in S mode on existing Windows 10 education devices diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index bf2de408fe..9b877306f7 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier1 --- # Windows 11 SE Overview diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 774fca45dd..36e841ae91 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -5,6 +5,9 @@ ms.topic: article ms.date: 09/12/2022 appliesto: - ✅ Windows 11 SE +ms.collection: + - education + - tier1 --- # Windows 11 SE for Education settings list diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 9388758a6c..4be7b72365 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -32,6 +32,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", "ms.author": "trudyha", "audience": "ITPro", diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 4cd7b0588c..1c1b014b8d 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -35,6 +35,9 @@ "globalMetadata": { "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", + "ms.collection": [ + "tier2" + ], "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-apps", "ms.topic": "article", diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 1e692a53a0..6cfbbac63c 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -43,314 +43,314 @@ The following information lists the system apps on some Windows Enterprise OS ve - File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89 --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515 --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - InputApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.AccountsControl | Package name: Microsoft.AccountsControl --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Hello setup UI | Package name: Microsoft.BioEnrollment --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.CredDialogHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.ECApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.LockApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft Edge | Package name: Microsoft.MicrosoftEdge --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.MicrosoftEdgeDevToolsClient --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.PPIProjection --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.Win32WebViewHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.Apprep.ChxApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.AssignedAccessLockApp --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.CapturePicker --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.CloudExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.ContentDeliveryManager --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Cortana | Package name: Microsoft.Windows.Cortana --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | | | ✔️ | --- - Microsoft.Windows.OOBENetworkCaptivePort --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.OOBENetworkConnectionFlow --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.ParentalControls --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - People Hub | Package name: Microsoft.Windows.PeopleExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.PinningConfirmationDialog --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.SecHealthUI --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.Windows.SecureAssessmentBrowser --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Start | Package name: Microsoft.Windows.ShellExperienceHost --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Microsoft.XboxGameCallableUI --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Windows.CBSPreview --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Settings | Package name: Windows.immersivecontrolpanel --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- - Print 3D | Package name: Windows.Print3D --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ✔️ | | | ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ✔️ | ✔️ | | | ✔️ | --- - Print UI | Package name: Windows.PrintDialog --- - | Uninstall through UI? | 21H1 | 20H2 | 1809 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | + | --- | --- | --- | --- | --- | --- | + | | ❌ | ❌ | ✔️ | ✔️| ✔️ | --- diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 8c038b6c43..ae506a8cb0 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-manage", diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index f0fcb85ef2..8a53921483 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -4538,7 +4538,7 @@ The first several links will also be pinned to the Start menu. A total of four l -This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, {searchTerms}). +This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`). You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 33a6b979ad..2636c0f68e 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -343,7 +343,7 @@ Volume: Low. -This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. +This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. @@ -836,7 +836,7 @@ Volume: Low. -This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (. +This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](). @@ -1083,7 +1083,7 @@ Volume: Low. This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when a distribution group changes +- If you do not configure this policy setting, no audit event is generated when a distribution group changes. > [!NOTE] > Events in this subcategory are logged only on domain controllers. @@ -1120,7 +1120,7 @@ Volume: Low. | Name | Value | |:--|:--| -| Name | Audit Distributio Group Management | +| Name | Audit Distribution Group Management | | Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | @@ -1332,7 +1332,7 @@ Volume: Low. -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see . If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. - If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -1825,7 +1825,7 @@ Volume: High on domain controllers. None on client computers. -This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. > [!NOTE] > Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. @@ -2135,7 +2135,7 @@ Volume: Medium or Low on computers running Active Directory Certificate Services -This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] > There are no system access control lists (SACLs) for shared folders. @@ -2201,7 +2201,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. -- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures +- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] > There are no system access control lists (SACLs) for shared folders. @@ -2267,7 +2267,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. > [!NOTE] > You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. @@ -2455,7 +2455,7 @@ Volume: High. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when a handle is manipulated +- If you do not configure this policy setting, no audit event is generated when a handle is manipulated. > [!NOTE] > Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. @@ -2519,7 +2519,7 @@ Volume: Depends on how SACLs are configured. -This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events +This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. > [!NOTE] > The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects. @@ -2645,7 +2645,7 @@ Volume: Low. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL +- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. > [!NOTE] > You can set a SACL on a registry object using the Permissions dialog box. @@ -2771,10 +2771,10 @@ This policy setting allows you to audit user attempts to access file system obje This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made +- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. > [!NOTE] -> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (. +> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698). @@ -2836,7 +2836,7 @@ Volume: High on domain controllers. For more information about reducing the numb This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed +- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. > [!NOTE] > The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. @@ -3147,7 +3147,7 @@ Volume: Low. -This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list +This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. > [!NOTE] > System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 4c5e5997cb..8f7766c3a5 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1484,7 +1484,7 @@ Supported versions: Microsoft Edge on Windows 10, version 1809 Default setting: Disabled or not configured Related policies: - Allows development of Windows Store apps and installing them from an integrated development environment (IDE) -- Allow all trusted apps to install +- Allow all trusted apps to install @@ -3248,7 +3248,7 @@ Related Documents: - [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) - [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) -- [Assign apps to groups with Microsoft Intune](/mem/intune/apps-deploy) +- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy) - [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index eb25db2dad..298d67d708 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1164,7 +1164,7 @@ This setting applies to scheduled scans, but it has no effect on scans initiated -This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus). > [!NOTE] > This feature requires the Join Microsoft MAPS setting enabled in order to function. @@ -1232,7 +1232,7 @@ This policy setting determines how aggressive Windows Defender Antivirus will be -This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. > [!NOTE] > This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. @@ -1980,7 +1980,7 @@ Allows an administrator to specify a list of directory paths to ignore during a -Allows an administrator to specify a list of files opened by processes to ignore during a scan +Allows an administrator to specify a list of files opened by processes to ignore during a scan. > [!IMPORTANT] > The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe. diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 6b3389617f..b6cc17127d 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -31,7 +31,7 @@ The UEFI Configuration Service Provider (CSP) interfaces to UEFI's Device Firmwa > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). > [!NOTE] -> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. +> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. The following shows the UEFI CSP in tree format. ``` diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 917d96da7b..fc74d86711 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -40,6 +40,7 @@ WindowsAdvancedThreatProtection ----Configuration --------SampleSharing --------TelemetryReportingFrequency +--------AadDdeviceId ----Offboarding ----DeviceTagging --------Group @@ -48,34 +49,34 @@ WindowsAdvancedThreatProtection The following list describes the characteristics and parameters. -**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** +**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** The root node for the Windows Defender Advanced Threat Protection configuration service provider. Supported operation is Get. -**Onboarding** +**Onboarding** Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**HealthState** +**HealthState** Node that represents the Windows Defender Advanced Threat Protection health state. -**HealthState/LastConnected** +**HealthState/LastConnected** Contains the timestamp of the last successful connection. Supported operation is Get. -**HealthState/SenseIsRunning** +**HealthState/SenseIsRunning** Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. The default value is false. Supported operation is Get. -**HealthState/OnboardingState** +**HealthState/OnboardingState** Represents the onboarding state. Supported operation is Get. @@ -85,15 +86,15 @@ The following list shows the supported values: - 0 (default) – Not onboarded - 1 – Onboarded -**HealthState/OrgId** +**HealthState/OrgId** String that represents the OrgID. Supported operation is Get. -**Configuration** +**Configuration** Represents Windows Defender Advanced Threat Protection configuration. -**Configuration/SampleSharing** +**Configuration/SampleSharing** Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. The following list shows the supported values: @@ -103,7 +104,7 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Configuration/TelemetryReportingFrequency** +**Configuration/TelemetryReportingFrequency** Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. The following list shows the supported values: @@ -113,26 +114,31 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Offboarding** +**Configuration/AadDeviceId** +Returns or sets the Intune's reported known AadDeviceId for the machine + +Supported operations are Get and Replace. + +**Offboarding** Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging** +**DeviceTagging** Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. Supported operation is Get. -**DeviceTagging/Group** +**DeviceTagging/Group** Added in Windows 10, version 1709. Device group identifiers. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging/Criticality** +**DeviceTagging/Criticality** Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal @@ -217,6 +223,16 @@ Supported operations are Get and Replace. + + 7 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/AadDeviceId + + + + 11 diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index a90fd2bb19..cbdc9361aa 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,10 +1,7 @@ --- -title: Configure Windows 10 taskbar (Windows 10) +title: Configure Windows 10 taskbar description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: [taskbar layout, pin apps] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.author: lizlong ms.topic: article @@ -12,9 +9,12 @@ ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- + # Configure Windows 10 taskbar Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index c40796bd2a..78ad0b03f2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -2,6 +2,7 @@ title: Send feedback about Cortana at work back to Microsoft description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index ad09a7c543..399384fb32 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,6 +2,7 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: windows-client +ms.collection: tier3 ms.mktglfcycl: manage ms.sitesec: library author: aczechowski diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 39e709ad20..cd9bc813a9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 90543d9202..0071761fd5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -2,6 +2,7 @@ title: Configure Cortana with Group Policy and MDM settings (Windows) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 71800954eb..0cf1df4390 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -2,6 +2,7 @@ title: Sign into Azure AD, enable the wake word, and try a voice query description: A test scenario walking you through signing in and managing the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index d31430c312..4ba46b4d36 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -2,6 +2,7 @@ title: Perform a quick search with Cortana at work (Windows) description: This scenario is a test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 48b5bfd328..b2202a902d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -2,6 +2,7 @@ title: Set a reminder for a location with Cortana at work (Windows) description: A test scenario about how to set a location-based reminder using Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 0ce5972f23..fcad450ae3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana at work to find your upcoming meetings (Windows) description: A test scenario on how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 0111aba809..94c1edabe4 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send email to a co-worker (Windows) description: A test scenario about how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index a6c2d4c3bb..54a1064afb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -2,6 +2,7 @@ title: Review a reminder suggested by Cortana (Windows) description: A test scenario on how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index e8caaf8cf3..a69e0078ff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -2,6 +2,7 @@ title: Help protect data with Cortana and WIP (Windows) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 19dce90d45..63c801e46b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -2,6 +2,7 @@ title: Cortana at work testing scenarios description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 26f401808e..ec1abf4d96 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -2,6 +2,7 @@ title: Set up and test custom voice commands in Cortana for your organization (Windows) description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 9f38750042..b089b30590 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index c3456c0ae6..76496df719 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -2,6 +2,7 @@ title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index 2a7d33cdbf..c6a2efd05f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -2,6 +2,7 @@ title: Test scenario 2 - Perform a quick search with Cortana at work description: A test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index 1724baee87..468c4060cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -2,6 +2,7 @@ title: Test scenario 3 - Set a reminder for a specific location using Cortana at work description: A test scenario about how to set up, review, and edit a reminder based on a location. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 8cad2a9dab..d1e98c4409 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana to find your upcoming meetings at work (Windows) description: A test scenario about how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index d3b93dd8a0..fcb33530cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send an email to co-worker (Windows) description: A test scenario on how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index fbd5290713..1090b25b3f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -2,6 +2,7 @@ title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email description: A test scenario about how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 701b2f4f58..5f71bbdcec 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -2,6 +2,7 @@ title: Testing scenarios using Cortana in your business or organization description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 77f7406fb8..edd95b2265 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -1,5 +1,5 @@ --- -title: Customize and export Start layout (Windows 10) +title: Customize and export Start layout description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: manager: aaroncz @@ -9,20 +9,21 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure --- # Customize and export Start layout - **Applies to** -- Windows 10 +- Windows 10 >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. +The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. @@ -31,7 +32,7 @@ When a full Start layout is applied, the users cannot pin, unpin, or uninstall a When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. >[!NOTE] ->Partial Start layout is only supported on Windows 10, version 1511 and later. +>Partial Start layout is only supported on Windows 10, version 1511 and later. @@ -49,7 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -63,7 +64,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. - **Drag tiles** on Start to reorder or group apps. @@ -89,7 +90,7 @@ When you have the Start layout that you want your users to see, use the [Export- 2. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - `Export-StartLayout –path .xml` + `Export-StartLayout -path .xml` On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index f043da3ecb..0fa0a01630 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -7,7 +7,9 @@ ms.author: lizlong ms.reviewer: ericpapa ms.prod: windows-client ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 01/10/2023 ms.topic: article diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a630b2ac0b..dfcaee8191 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,5 +1,5 @@ --- -title: Configure and customize Windows 11 taskbar | Microsoft Docs +title: Configure and customize Windows 11 taskbar description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded. manager: aaroncz ms.author: lizlong @@ -7,7 +7,9 @@ ms.reviewer: chataylo ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index baffd2a688..40b7d5daac 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with group policy description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: manager: aaroncz @@ -8,7 +8,9 @@ author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 315f3afa7f..90a28bb7e6 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-configure", diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 6ff2246977..ee9ad89242 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -8,7 +8,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: windows-client -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -41,7 +43,7 @@ foreach ($app in $installedapps) $aumidList ``` -You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. +You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. ## To find the AUMID by using File Explorer @@ -63,7 +65,7 @@ At a command prompt, type the following command: `reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` -## Example +### Example to get AUMIDs of the installed apps for the specified user The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. @@ -105,14 +107,14 @@ The following Windows PowerShell commands demonstrate how you can call the listA # Get a list of AUMIDs for the current account: listAumids -# Get a list of AUMIDs for an account named “CustomerAccount”: +# Get a list of AUMIDs for an account named "CustomerAccount": listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") ``` -## Example +### Example to get the AUMID of any application in the Start menu The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. @@ -148,4 +150,3 @@ Get-AppAUMID -AppName Word # List all apps and their AUMID in the Start menu Get-AppAUMID ``` - diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 48abdda3c1..f1159c1544 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,17 +1,16 @@ --- -title: Guidelines for choosing an app for assigned access (Windows 10/11) +title: Guidelines for choosing an app for assigned access description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: [kiosk, lockdown, assigned access] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: sybruckm manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -50,7 +49,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. @@ -155,7 +154,7 @@ You can create your own web browser Windows app by using the WebView class. Lear ## Secure your information -Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. ## App configuration diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index fe0ebfbafc..2891f614c0 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars +summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -10,6 +10,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 3724425208..d48592fdfc 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,6 +1,6 @@ --- -title: Set up a single-app kiosk on Windows 10/11 -description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). +title: Set up a single-app kiosk on Windows +description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong @@ -8,7 +8,9 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 5e74a0ca9d..800e7781f6 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,9 @@ manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -247,7 +249,7 @@ A few things to note here: - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. - There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: @@ -284,7 +286,7 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato ##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. The following example exposes the taskbar to the end user: @@ -607,7 +609,7 @@ Lock the Taskbar | Enabled Prevent users from adding or removing toolbars | Enabled Prevent users from resizing the taskbar | Enabled Remove frequent programs list from the Start Menu | Enabled -Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled +Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled Remove the Security and Maintenance icon | Enabled Turn off all balloon notifications | Enabled Turn off feature advertisement balloon notifications | Enabled @@ -615,7 +617,7 @@ Turn off toast notifications | Enabled Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Remove All Programs list from the Start Menu | Enabled - Remove and disable setting Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index c77e2f658e..8796ceac18 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,14 +1,16 @@ --- -title: Install Windows Configuration Designer (Windows 10/11) +title: Install Windows Configuration Designer description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4f0004d334..a6fac6c279 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,14 +1,16 @@ --- -title: Provisioning packages overview on Windows 10/11 +title: Provisioning packages overview description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index beda72c25c..41f4968fe9 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md index 19e203f23c..cabee079ab 100644 --- a/windows/configuration/shared-devices-concepts.md +++ b/windows/configuration/shared-devices-concepts.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md index a84ff0f030..b0d626cff0 100644 --- a/windows/configuration/shared-pc-technical.md +++ b/windows/configuration/shared-pc-technical.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 3ebc98f62f..9d33ff603e 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,5 +1,5 @@ --- -title: Configure access to Microsoft Store (Windows 10) +title: Configure access to Microsoft Store description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 11/29/2022 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index b72c7c7f8d..852b3e4500 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index ba28b638f1..b4bfc496ca 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -3,6 +3,7 @@ title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index e33519a625..a26af56567 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -3,6 +3,7 @@ title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 627c8b1414..d6cb847dc1 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -3,6 +3,7 @@ title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 9367276244..5942fc45be 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 2f4dadd57a..60273009e8 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Microsoft Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index f58d68f203..479a729676 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -3,6 +3,7 @@ title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 901c9451d1..1d05d369d0 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -3,6 +3,7 @@ title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 8eb556d6e4..f1604d6359 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -3,6 +3,7 @@ title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 05/02/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 825c7597c7..36ce63717c 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -3,6 +3,7 @@ title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 03/08/2018 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 9f62707fab..22bf076b54 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -3,6 +3,7 @@ title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 6f44c3f7ea..1e594846ab 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -3,6 +3,7 @@ title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 1ec2b72325..04dae12024 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WM description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index f6f4e14585..4d07a6a09a 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index 39539183ca..9c3cebd1a1 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -3,6 +3,7 @@ title: Migrating UE-V settings packages description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 39acddadd3..5e13281dc1 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -3,6 +3,7 @@ title: Prepare a UE-V Deployment description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index b68e1eb3fe..47dfe6e7e7 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -3,6 +3,7 @@ title: User Experience Virtualization (UE-V) Release Notes description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index 4029c2a043..a91444675f 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -3,6 +3,7 @@ title: Security Considerations for UE-V description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index ddd0e4181c..7d1eeeccb0 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -3,6 +3,7 @@ title: Sync Methods for UE-V description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 6ffa1e76ff..b9571cdf2a 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -3,6 +3,7 @@ title: Sync Trigger Events for UE-V description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 20bedf9737..7851418fe8 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -3,6 +3,7 @@ title: Synchronizing Microsoft Office with UE-V description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index 1050b221b6..9d161c1889 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -3,6 +3,7 @@ title: Technical Reference for UE-V description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index d5be7f7710..d2a350b63d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -3,6 +3,7 @@ title: Troubleshooting UE-V description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 5f5127f7ea..78cfb2f9c0 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -3,6 +3,7 @@ title: Upgrade to UE-V for Windows 10 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 951c1b4ff0..5d02d042ce 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -3,6 +3,7 @@ title: Using UE-V with Application Virtualization applications description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index facd3330f3..157f473f1f 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -3,6 +3,7 @@ title: What's New in UE-V for Windows 10, version 1607 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index 0eaaa0f658..827c6ad3ff 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -3,6 +3,7 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index eec297b628..a3d8dd29c1 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,5 +1,5 @@ --- -title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs +title: Customize and manage the Windows 10 Start and taskbar layout description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -25,7 +27,7 @@ ms.technology: itpro-configure > > **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. +Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. >[!NOTE] >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. @@ -215,7 +217,7 @@ On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: -- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. +- **Event 22**: The XML is malformed. The specified file isn't valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. - **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. ## Next steps diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index e019375c50..528e7fcbba 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -9,7 +9,8 @@ ms.reviewer: manager: aaroncz ms.localizationpriority: medium ms.date: 09/20/2022 -ms.topic: reference +ms.topic: conceptual +ms.collection: tier1 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index b9bfa40f0f..33bd24bcc8 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Spotlight on the lock screen (Windows 10) +title: Configure Windows Spotlight on the lock screen description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -23,7 +25,7 @@ ms.technology: itpro-configure Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. >[!NOTE] @@ -99,4 +101,4 @@ The recommendation for custom lock screen images that include text (such as a le [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) -  + diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 4ac1a97b0f..084263aadb 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -65,6 +65,8 @@ href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Deprecated features href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json + - name: Resources for deprecated features + href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Removed features href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: Prepare @@ -164,19 +166,30 @@ href: update/waas-configure-wufb.md - name: Use Windows Update for Business and WSUS href: update/wufb-wsus.md - - name: Windows Update for Business deployment service - href: update/deployment-service-overview.md - items: - - name: Troubleshoot the Windows Update for Business deployment service - href: update/deployment-service-troubleshoot.md - name: Enforcing compliance deadlines for updates href: update/wufb-compliancedeadlines.md - name: Integrate Windows Update for Business with management solutions href: update/waas-integrate-wufb.md - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' href: update/waas-wufb-group-policy.md - - name: 'Walkthrough: use Intune to configure Windows Update for Business' + - name: 'Walkupdatesthrough: use Intune to configure Windows Update for Business' href: update/deploy-updates-intune.md + - name: Windows Update for Business deployment service + items: + - name: Windows Update for Business deployment service overview + href: update/deployment-service-overview.md + - name: Prerequisites for Windows Update for Business deployment service + href: update/deployment-service-prerequisites.md + - name: Deploy updates with the deployment service + items: + - name: Deploy feature updates using Graph Explorer + href: update/deployment-service-feature-updates.md + - name: Deploy expedited updates using Graph Explorer + href: update/deployment-service-expedited-updates.md + - name: Deploy driver and firmware updates using Graph Explorer + href: update/deployment-service-drivers.md + - name: Troubleshoot Windows Update for Business deployment service + href: update/deployment-service-troubleshoot.md - name: Monitor items: - name: Windows Update for Business reports diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 6c21a68819..e84cabe14e 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -55,7 +55,7 @@ items: - name: Frequently Asked Questions href: mcc-isp-faq.yml - - name: Enhancing VM performance + - name: Enhancing cache performance href: mcc-isp-vm-performance.md - name: Support and troubleshooting href: mcc-isp-support.md diff --git a/windows/deployment/do/images/mcc-isp-create-resource-fields.png b/windows/deployment/do/images/mcc-isp-create-resource-fields.png new file mode 100644 index 0000000000..f80f8e490a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-fields.png differ diff --git a/windows/deployment/do/images/mcc-isp-create-resource-validated.png b/windows/deployment/do/images/mcc-isp-create-resource-validated.png new file mode 100644 index 0000000000..cfa2901768 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-validated.png differ diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index 11915236a8..d9eab5ddf8 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -12,7 +12,7 @@ ms.technology: itpro-updates # Appendix -## Steps to obtain an Azure Subscription ID +## Steps to obtain an Azure subscription ID [!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] @@ -23,12 +23,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco - [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). -## Installing on VMWare +## Hardware specifications -We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made: +Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache. + +### Installing on VMware + +We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made: 1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. -1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. +1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. + +### Installing on Hyper-V + +To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization). ## Diagnostics Script @@ -65,17 +73,17 @@ communication operations. The runtime performs several functions: For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## Routing local Windows Clients to an MCC +## Routing local Windows clients to an MCC ### Get the IP address of your MCC using ifconfig There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. -#### Registry Key +#### Registry key You can either set your MCC IP address or FQDN using: -1. Registry Key (version 1709 and later): +1. Registry key (version 1709 and later): `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
"DOCacheHost"=" " @@ -86,7 +94,7 @@ You can either set your MCC IP address or FQDN using: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f ``` -1. MDM Path (version 1809 and later): +1. MDM path (version 1809 and later): `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` @@ -95,7 +103,7 @@ You can either set your MCC IP address or FQDN using: :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: -**Verify Content using the DO Client** +## Verify content using the DO client To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index c39e4b5a84..52b3515a34 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -31,18 +31,18 @@ To deploy MCC to your server: For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) -### Provide Microsoft with the Azure Subscription ID +### Provide Microsoft with the Azure subscription ID As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] > [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). +For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. @@ -221,7 +221,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p 1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + 1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: @@ -235,7 +235,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p ## Verify proper functioning MCC server -#### Verify Client Side +#### Verify client side Connect to the EFLOW VM and check if MCC is properly running: @@ -305,21 +305,16 @@ sudo iotedge list :::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: -If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command: ```bash sudo journalctl -u iotedge -f ``` -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. +This command will provide the current status of the starting, stopping of a container, or the container pull and start. :::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge -f -``` > [!NOTE] > You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index fac81254f0..2e5773468b 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -24,13 +24,12 @@ ms.technology: itpro-updates Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. +1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. > [!NOTE] > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations. - **EFLOW Requires Hyper-V support** + **EFLOW requires Hyper-V support** - On Windows client, enable the Hyper-V feature - On Windows Server, install the Hyper-V role and create a default network switch @@ -44,6 +43,7 @@ ms.technology: itpro-updates VM networking: - An external virtual switch to support outbound and inbound network communication (created during the installation process) +1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints. ## Sizing recommendations diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index aa7180c750..885330563a 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -10,7 +10,7 @@ ms.date: 12/31/2017 ms.technology: itpro-updates --- -# Create, Configure, provision, and deploy the cache node in Azure portal +# Create, configure, provision, and deploy the cache node in Azure portal **Applies to** @@ -58,8 +58,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi 1. Enter the max allowable egress that your hardware can support. -1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. -**Note:** Up to nine cache drives are supported. +1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes. +**Note:** This is a **required** field. Up to nine cache drive folders are supported. 1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). @@ -110,10 +110,10 @@ There are five IDs that the device provisioning script takes as input in order t 1. Copy and paste the script command line shown in the Azure portal. -1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). +1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). > [!NOTE] - > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. ### General configuration fields @@ -127,12 +127,12 @@ There are five IDs that the device provisioning script takes as input in order t ### Storage fields > [!IMPORTANT] -> All cache drives must have read/write permissions set or the cache node will not function. -> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` +> All cache drives must have full read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder` | Field Name | Expected Value| Description | |---|---|---| -| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.| | **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | ### Client routing fields diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 74688ffae3..07d8f242c0 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -69,8 +69,6 @@ sections: answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. - question: How does Microsoft Connected Cache populate its content? answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. - - question: What do I do if I need more support and have more questions even after reading this FAQ page? - answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). - question: What CDNs will Microsoft Connected Cache pull content from? answer: | Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: @@ -82,3 +80,11 @@ sections: $ whois 13.107.4.50|grep "Organization:" Organization: Microsoft Corporation (MSFT) + - question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic? + answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic. + - question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do? + answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com". + - question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned? + answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index e53324e321..f407f4d6cd 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -24,21 +24,37 @@ This article details the process of signing up for Microsoft Connected Cache for ## Prerequisites Before you begin sign up, ensure you have the following components: -- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/). -- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. -- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. -- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS. + +1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). + +1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. + +1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. + +1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS. +1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). ## Resource creation and sign up process 1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. - :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png"::: -1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node. + + :::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png"::: > [!IMPORTANT] > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. + + After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**. + + :::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png"::: + +1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**. + + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png"::: + 1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: @@ -48,7 +64,10 @@ Before you begin sign up, ensure you have the following components: > [!NOTE] > Verification codes expire in 24 hours. You will need to generate a new code if it expires. - :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + + > [!NOTE] + > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**. 1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. @@ -57,37 +76,3 @@ Before you begin sign up, ensure you have the following components: During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal. We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). --> - -### Cache performance - -To make sure you're maximizing the performance of your cache node, review the following information: - -#### OS requirements - -The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. - -#### NIC requirements - -- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. -- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. - -#### Drive performance - -The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. - -RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. - -### Hardware configuration example - -There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: - -**Dell PowerEdge R330** - -- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core -- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s -- 4 - Transcend SSD230s 1 TB SATA Drives -- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) - -### Virtual machines - -Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index da0003c24f..1e31838cd4 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -16,6 +16,28 @@ ms.technology: itpro-updates This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. +## Verify cache node installation is complete + +Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers): + +```bash +sudo iotedge list +``` + +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: + +If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: + +```bash +sudo iotedge system logs -- -f +``` + +For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: + +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: + +You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching. + ## Verify functionality on Azure portal Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. @@ -48,6 +70,14 @@ http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. +## Verify BGP routing configuration + +To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for. + +Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising. + +If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly. + ## Monitor cache node health and performance Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 9316c9a5af..5bd6e00e83 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -1,5 +1,5 @@ --- -title: Enhancing VM performance +title: Enhancing cache performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs ms.prod: windows-client @@ -10,11 +10,41 @@ ms.technology: itpro-updates ms.date: 12/31/2017 --- -# Enhancing virtual machine performance +# Enhancing cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +## Enhancing virtual machine performance In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. -## Virtual machine settings +### Virtual machine settings Change the following settings to maximize the egress in virtual environments: @@ -27,7 +57,3 @@ Change the following settings to maximize the egress in virtual environments: Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. 2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. - -## Next steps - -[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index bc0d6223b6..dcfac57aad 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -1,13 +1,12 @@ --- title: Microsoft Connected Cache overview -manager: dougeby +manager: aaroncz description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution. ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 --- @@ -20,13 +19,21 @@ ms.date: 12/31/2017 - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. +Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal. + +## Microsoft Connected Cache for ISPs (preview) +Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. + +## Microsoft Connected Cache for Enterprise and Education (early preview) +Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +## IoT Edge + +Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. 1. Maintains Azure IoT Edge security standards on your edge device. @@ -51,8 +58,6 @@ The following diagram displays and overview of how MCC functions: :::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: - - ## Next steps - [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index ad1f0f4c84..1387984499 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "GitHub", diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md new file mode 100644 index 0000000000..cb9c80bdd4 --- /dev/null +++ b/windows/deployment/update/deployment-service-drivers.md @@ -0,0 +1,332 @@ +--- +title: Deploy drivers and firmware updates with Windows Update for Business deployment service. +description: Use Windows Update for Business deployment service to deploy driver and firmware updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy drivers and firmware updates with Windows Update for Business deployment service + +***(Applies to: Windows 11 & Windows 10)*** + +The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). + +This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a driver update to clients. In this article, you will: +> [!div class="checklist"] +> +> - [Open Graph Explorer](#open-graph-explorer) +> - [Run queries to identify devices](#run-queries-to-identify-devices) +> - [Enroll devices](#enroll-devices) +> - [Create a deployment audience and add audience members](#create-a-deployment-audience-and-add-audience-members) +> - [Create an update policy](#create-an-update-policy) +> - [Review applicable driver content](#review-applicable-driver-content) +> - [Approve driver content for deployment](#approve-driver-content-for-deployment) +> - [Revoke content approval](#revoke-content-approval) +> - [Unenroll devices](#unenroll-devices) + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## Enroll devices + +When you enroll devices into driver management, the deployment service becomes the authority for driver updates coming from Windows Update. Devices don't receive drivers or firmware from Windows Update until a deployment is manually created or they're added to a driver update policy with approvals. + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] + +## Create a deployment audience and add audience members + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-audience-graph-explorer.md)] + +Once a device has been enrolled and added to a deployment audience, the Windows Update for Business deployment service will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment. + +## Create an update policy + +Update policies define how content is deployed to a deployment audience. An [update policy](/graph/api/resources/windowsupdates-updatepolicy) ensures deployments to a deployment audience behave in a consistent manner without having to create and manage multiple individual deployments. When a content approval is added to the policy, it's deployed to the devices in the associated audiences. The deployment and monitoring settings are optional. + +> [!IMPORTANT] +> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for a [content approval](#approve-driver-content-for-deployment) will be combined with the existing update policy's deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. + + +### Create a policy and define the settings later + +To create a policy without any deployment settings, in the request body specify the **Audience ID** as `id`. In the following example, the **Audience ID** is `d39ad1ce-0123-4567-89ab-cdef01234567`, and the `id` given in the response is the **Policy ID**: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies + content-type: application/json + + { + "audience": { + "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567" + } + } + ``` + +Response returning the policy, without any additional settings specified, that has a **Policy ID** of `9011c330-1234-5678-9abc-def012345678`: + +```json +HTTP/1.1 202 Accepted +content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/updatePolicies/$entity", + "id": "9011c330-1234-5678-9abc-def012345678", + "createdDateTime": "2023-01-25T05:32:21.9721459Z", + "autoEnrollmentUpdateCategories": [], + "complianceChangeRules": [], + "deploymentSettings": { + "schedule": null, + "monitoring": null, + "contentApplicability": null, + "userExperience": null, + "expedite": null + } +} +``` + +### Specify settings during policy creation + +To create a policy with additional settings, in the request body: + - Specify the **Audience ID** as `id` + - Define any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings). + - Add the `content-length` header to the request if a status code of 411 occurs. The value should be the length of the request body in bytes. For information on error codes, see [Microsoft Graph error responses and resource types](/graph/errors). + + In the following driver update policy example, any deployments created by a content approval will start 7 days after approval for **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies + content-type: application/json + + { + "@odata.type": "#microsoft.graph.windowsUpdates.updatePolicy", + "audience": { + "@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567" + }, + "complianceChanges": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval" + } + ], + "complianceChangeRules": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule", + "contentFilter": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter" + }, + "durationBeforeDeploymentStart": "P7D" + } + ] + } + ``` + + +### Review and edit update policy settings + +To review the policy settings, run the following query using the **Policy ID**, for example `9011c330-1234-5678-9abc-def012345678`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678 + ``` + +To edit the policy settings, **PATCH** the policy using the **Policy ID**. Run the following **PATCH** to automatically approve driver content that's recommended by `Microsoft`for deployment for **Policy ID** `9011c330-1234-5678-9abc-def012345678`: + +``` msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678 +content-type: application/json + +{ + "complianceChangeRules": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule", + "contentFilter": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter" + } + } + ], + "deploymentSettings": { + "@odata.type": "#microsoft.graph.windowsUpdates.deploymentSettings", + "contentApplicability": { + "@odata.type": "#microsoft.graph.windowsUpdates.contentApplicabilitySettings", + "offerWhileRecommendedBy": ["microsoft"] + } + } +} +``` + + +## Review applicable driver content + +Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information: + +- An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry) +- The **Azure AD ID** of the devices it's applicable to +- Information describing the update such as the name and version. + +To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/applicableContent +``` + +The following truncated response displays: + - An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef` + - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c` + + ```json + "matchedDevices": [ + { + "recommendedBy": [ + "Microsoft" + ], + "deviceId": "01ea3c90-12f5-4093-a4c9-c1434657c976" + } + ], + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c", + "displayName": "Microsoft - Test - 1.0.0.1", + "deployableUntilDateTime": null, + "releaseDateTime": "0001-01-21T04:18:32Z", + "description": "Microsoft test driver update released in January 2021", + "driverClass": "OtherHardware", + "provider": "Microsoft", + "setupInformationFile": null, + "manufacturer": "Microsoft", + "version": "1.0.0.1", + "versionDateTime": "2021-01-11T02:43:14Z" + ``` + +## Approve driver content for deployment + +Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliance) for the policy. + +> [!IMPORTANT] +> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for the content approval will be combined with the existing [update policy's](#create-an-update-policy) deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. + +Add a content approval to an existing policy, **Policy ID** `9011c330-1234-5678-9abc-def012345678` for the driver update with the **Catalog ID** `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`. Schedule the start date for February 14, 2023 at 1 AM UTC: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c" + } + }, + "deploymentSettings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-14T01:00:00Z" + } + } +} +``` + +The response for a content approval returns content and deployment settings along with an `id`, which is the **Compliance Change ID**. The **Compliance Change ID** is `c03911a7-9876-5432-10ab-cdef98765432` in the following truncated response: + +```json + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "id": "c03911a7-9876-5432-10ab-cdef98765432", + "createdDateTime": "2023-02-02T17:54:39.173292Z", + "isRevoked": false, + "revokedDateTime": "0001-01-01T00:00:00Z", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry", + "id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c" + } + }, + "deploymentSettings": { + "schedule": { + "startDateTime": "2023-02-14T01:00:00Z", +``` + +Review all of the compliance changes to a policy with the most recent changes listed in the response first. The following example returns the compliance changes for a policy with the **Policy ID** `9011c330-1234-5678-9abc-def012345678` and sorts by `createdDateTime` in descending order: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges?orderby=createdDateTime desc + ``` + + > [!TIP] + > There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/resources/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`. + +To retrieve the deployment ID, use the [expand parameter](/graph/query-parameters#expand-parameter) to review the deployment information related the content approval. The following example displays the content approval and the deployment information for **Compliance Change ID** `c03911a7-9876-5432-10ab-cdef98765432` in update **Policy ID** `9011c330-1234-5678-9abc-def012345678`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432/$/microsoft.graph.windowsUpdates.contentApproval?$expand=deployments + ``` + +### Edit deployment settings for a content approval + +Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/resources/windowsupdates--contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC: + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "deploymentSettings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-28T05:00:00Z" + } + } +} +``` + + +## Revoke content approval + +Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliance) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created. + + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.contentApproval", + "isRevoked": true +} +``` + +To display all deployments with the most recently created returned first, order deployments based on the `createdDateTime`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=createdDateTime desc +``` + +## Unenroll devices + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md new file mode 100644 index 0000000000..14b6fec38a --- /dev/null +++ b/windows/deployment/update/deployment-service-expedited-updates.md @@ -0,0 +1,196 @@ +--- +title: Deploy expedited updates with Windows Update for Business deployment service +description: Use Windows Update for Business deployment service to deploy expedited updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy expedited updates with Windows Update for Business deployment service + + +***(Applies to: Windows 11 & Windows 10)*** + +In this article, you will: +> [!div class="checklist"] +> +> * [Open Graph Explorer](#open-graph-explorer) +> * [Run queries to identify test devices](#run-queries-to-identify-devices) +> * [List catalog entries for expedited updates](#list-catalog-entries-for-expedited-updates) +> * [Create a deployment](#create-a-deployment) +> * [Add members to the deployment audience](#add-members-to-the-deployment-audience) +> * [Delete a deployment](#delete-a-deployment) + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## List catalog entries for expedited updates + +Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates. + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3 +``` + +The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later", + "deployableUntilDateTime": null, + "releaseDateTime": "2023-01-10T00:00:00Z", + "isExpeditable": true, + "qualityUpdateClassification": "security" + }, + ... + ] +} +``` + +## Create a deployment + +When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body. + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "expedite": { + "isExpedited": true + }, + "userExperience": { + "daysUntilForcedReboot": 2 + } + } +} +``` + +The request returns a 201 Created response code and a [deployment](/graph/api/resources/windowsupdates-deployment) object in the response body for the newly created deployment, which includes: + +- The **Deployment ID** `de910e12-3456-7890-abcd-ef1234567890` of the newly created deployment. +- The **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567` of the newly created deployment audience. + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", + "id": "de910e12-3456-7890-abcd-ef1234567890", + "createdDateTime": "2023-02-09T22:55:04.8547517Z", + "lastModifiedDateTime": "2023-02-09T22:55:04.8547524Z", + "state": { + "effectiveValue": "offering", + "requestedValue": "none", + "reasons": [] + }, + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "displayName": null, + "deployableUntilDateTime": null, + "releaseDateTime": "2023-01-10T00:00:00Z", + "isExpeditable": false, + "qualityUpdateClassification": "security" + } + }, + "settings": { + "schedule": null, + "monitoring": null, + "contentApplicability": null, + "userExperience": { + "daysUntilForcedReboot": 2 + }, + "expedite": { + "isExpedited": true + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", + "audience": { + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "applicableContent": [] + } +} +``` + +## Add members to the deployment audience + +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited. + +The following example adds two devices to the deployment audience using the **Azure AD ID** for each device: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience +content-type: application/json + +{ + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + } + ] +} +``` + +To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` + +## Delete a deployment + +To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. + + +The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] \ No newline at end of file diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md new file mode 100644 index 0000000000..b1a289befa --- /dev/null +++ b/windows/deployment/update/deployment-service-feature-updates.md @@ -0,0 +1,292 @@ +--- +title: Deploy feature updates with Windows Update for Business deployment service. +description: Use Windows Update for Business deployment service to deploy feature updates. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Deploy feature updates with Windows Update for Business deployment service + +***(Applies to: Windows 11 & Windows 10)*** + +The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). + +This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will: + +In this article, you will: +> [!div class="checklist"] +> * [Open Graph Explorer](#open-graph-explorer) +> * [Run queries to identify devices](#run-queries-to-identify-devices) +> * [Enroll devices](#enroll-devices) +> * [List catalog entries for feature updates](#list-catalog-entries-for-feature-updates) +> * [Create a deployment](#create-a-deployment) +> * [Add members to the deployment audience](#add-members-to-the-deployment-audience) +> * [Pause a deployment](#pause-a-deployment) +> * [Delete a deployment](#delete-a-deployment) +> * [Unenroll devices](#unenroll-devices) + + +## Prerequisites + +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. + +### Permissions + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] + +## Open Graph Explorer + + +[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] + +## Run queries to identify devices + + +[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] + +## Enroll devices + +When you enroll devices into feature update management, the deployment service becomes the authority for feature updates coming from Windows Update. +As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version. + +> [!TIP] +> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience. + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] + +## List catalog entries for feature updates + +Each feature update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). The `id` returned is the **Catalog ID** and is used to create a deployment. Feature updates are deployable until they reach their support retirement dates. For more information, see the support lifecycle dates for [Windows 10](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11](/lifecycle/products/windows-11-enterprise-and-education) Enterprise and Education editions. The following query lists all deployable feature update catalog entries: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry') +``` + +The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f` for the Windows 11, version 22H2 feature update: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f", + "displayName": "Windows 11, version 22H2", + "deployableUntilDateTime": "2025-10-14T00:00:00Z", + "releaseDateTime": "2022-09-20T00:00:00Z", + "version": "Windows 11, version 22H2" + } + ] +} +``` + +## Create a deployment + +When creating a deployment for a feature update, there are multiple options available to define how the deployment behaves. The deployment and monitoring settings are optional. The following [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) are defined in the example request body for deploying the Windows 11, version 22H2 feature update (**Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f`): + +- Deployment [start date](/graph/api/resources/windowsupdates-schedulesettings) of February 14, 2023 at 5 AM UTC +- [Gradual rollout](/graph/api/resources/windowsupdates-gradualrolloutsettings) at a rate of 100 devices every three days +- [Monitoring rule](/graph/api/resources/windowsupdates-monitoringrule) that will pause the deployment if five devices rollback the feature update +- Default [safeguard hold](/graph/api/resources/windowsupdates-safeguardprofile) behavior of applying all applicable safeguards to devices in a deployment + - When safeguard holds aren't explicitly defined, the default safeguard hold behavior is applied automatically + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-14T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": "100" + } + }, + "monitoring": { + "monitoringRules": [ + { + "signal": "rollback", + "threshold": 5, + "action": "pauseDeployment" + } + ] + } + } +} +``` + +The response body will contain: +- The new **Deployment ID**, `de910e12-3456-7890-abcd-ef1234567890` in the example +- The new **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567` in the example +- Any settings defined in the deployment request body + + ```json + { + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", + "id": "de910e12-3456-7890-abcd-ef1234567890", + "createdDateTime": "2023-02-07T19:21:15.425905Z", + "lastModifiedDateTime": "2023-02-07T19:21:15Z", + "state": { + "effectiveValue": "scheduled", + "requestedValue": "none", + "reasons": [] + }, + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry", + "id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f", + "displayName": "Windows 11, version 22H2", + "deployableUntilDateTime": "2025-10-14T00:00:00Z", + "releaseDateTime": "0001-01-01T00:00:00Z", + "version": "Windows 11, version 22H2" + } + }, + "settings": { + "contentApplicability": null, + "userExperience": null, + "expedite": null, + "schedule": { + "startDateTime": "2023-02-14T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": 100 + } + }, + "monitoring": { + "monitoringRules": [ + { + "signal": "rollback", + "threshold": 5, + "action": "pauseDeployment" + } + ] + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", + "audience": { + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "applicableContent": [] + } + } + ``` + +### Edit a deployment + +To [update deployment](/graph/api/windowsupdates-deployment-update), PATCH the deployment resource by its **Deployment ID** and supply the updated settings in the request body. The following example keeps the existing gradual rollout settings that were defined when creating the deployment but changes the deployment start date to February 28, 2023 at 5 AM UTC: + +```msgraph-interactive +PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +content-type: application/json + +{ + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "schedule": { + "startDateTime": "2023-02-28T05:00:00Z", + "gradualRollout": { + "@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings", + "durationBetweenOffers": "P3D", + "devicesPerOffer": "100" + } + } + } +} + +``` + +Verify the deployment settings for the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + +## Add members to the deployment audience + +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered. + +The following example adds three devices to the deployment audience using the **Azure AD ID** for each device: + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json + + { + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + +To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` + +## Pause a deployment + +To pause a deployment, PATCH the deployment to have a `requestedValue` of `paused` for the [deploymentState](/graph/api/resources/windowsupdates-deploymentstate). To resume the deployment, use the value `none` and the state will either update to `offering` or `scheduled` if the deployment hasn't reached the start date yet. + +The following example pauses the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive + +PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "state": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentState", + "requestedValue": "paused" + } +} +``` + +## Delete a deployment + +To remove the deployment completely, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. + + +The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: + +```msgraph-interactive +DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 +``` + +## Unenroll devices + + +[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 3d655149d9..4b8e52781b 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -6,98 +6,67 @@ author: mestew ms.localizationpriority: medium ms.author: mstewart manager: aaroncz -ms.topic: article +ms.topic: overview ms.technology: itpro-updates ms.date: 12/31/2017 --- - - # Windows Update for Business deployment service -**Applies to** +***(Applies to: Windows 11 & Windows 10)*** -- Windows 10 -- Windows 11 +The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications. -The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies. +Windows Update for Business product family has three elements: -The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. It provides the following abilities: +- Client policy to govern update experiences and timing, which are available through Group Policy and CSPs +- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment +- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell) -- You can schedule deployment of updates to start on a specific date (for example, deploy 20H2 to specified devices on March 14, 2021). -- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021). -- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise. -- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization. -- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices. +The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md). -The service is privacy focused and backed by leading industry compliance certifications. +:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family."::: -## How it works +## How the deployment service works -The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md). +With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated with Windows Update, once the admin defines the deployment behavior, Windows Update is already aware of how device should be directed to install updates when the device scans. The deployment service creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an admin. -:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text."::: - -Windows Update for Business comprises three elements: -- Client policy to govern update experiences and timing – available through Group Policy and CSPs -- Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell) -- Windows Update for Business reports to monitor update deployment - -Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. - -:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text."::: Using the deployment service typically follows a common pattern: -1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune. -2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. +1. An admin uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app, or a more complete management solution such as Microsoft Intune. +2. The chosen management tool conveys your approval, scheduling, and device selection information to the deployment service. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. -The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune. + :::image type="content" source="media/wufbds-interaction-small.png" alt-text="Diagram displaying "::: -## Prerequisites +The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as [Microsoft Intune](/mem/intune). -To work with the deployment service, devices must meet all these requirements: +## Capabilities of the Windows Update for Business deployment service -- Be running Windows 10, version 1709 or later (or Windows 11) -- Be joined to Azure Active Directory (AD) or Hybrid AD -- Have one of the following Windows 10 or Windows 11 editions installed: - - Pro - - Enterprise - - Education - - Pro Education - - Pro for Workstations +The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. The service provides the following capabilities for updates: -Additionally, your organization must have one of the following subscriptions: -- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) -- Windows Virtual Desktop Access E3 or E5 -- Microsoft 365 Business Premium +- **Approval and scheduling**: Approve and schedule deployment of updates to start on a specific date + - *Example*: Deploy the Windows 11 22H2 feature update to specified devices on February 17, 2023. +- **Gradual rollout**: Stage deployments over a period of days or weeks by specifying gradual rollout settings + - *Example*: Deploy the Windows 11 22H2 feature update to 500 devices per day, beginning on February 17, 2023 +- **Expedite**: Bypass the configured Windows Update for Business policies to immediately deploy a security update across the organization +- **Safeguard holds**: Automatically holds the deployment for devices that may be impacted by an update issue identified by Microsoft machine-learning algorithms -## Getting started +Certain capabilities are available for specific update classifications: -To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application. +|Capabilities | [Quality updates](deployment-service-expedited-updates.md) | [Feature updates](deployment-service-feature-updates.md) | [Drivers and firmware](deployment-service-drivers.md)| +|---|---|---|---| +|Approval and scheduling | | Yes | Yes | +|Gradual rollout | | Yes | | +|Expedite | Yes | | | +|Safeguard holds| | Yes | | -### Using Microsoft Intune - -Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). - -### Scripting common actions using PowerShell - -The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). - -### Building your own application - -Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: -- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) -- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) - -Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. ## Deployment protections The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout. -### Schedule rollouts with automatic piloting +### Gradual rollout The deployment service allows any update to be deployed over a period of days or weeks. Once an update has been scheduled, the deployment service optimizes the deployment based on the scheduling parameters and unique attributes spanning the devices being updated. The service follows these steps: @@ -106,80 +75,45 @@ The deployment service allows any update to be deployed over a period of days or 3. Start deploying to earlier waves to build coverage of device attributes present in the population. 4. Continue deploying at a uniform rate until all waves are complete and all devices are updated. -This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. - -You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. +This built-in piloting capability complements your existing [deployment ring](waas-quick-start.md) structure and provides another support for reducing and managing risk during an update. This capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. Continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. ### Safeguard holds against likely and known issues -Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. - -To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold) +Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service also extends safeguard holds to protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold). ### Monitoring deployments to detect rollback issues During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. -### How to enable deployment protections +## Get started with the deployment service -Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. +To use the deployment service, you use a management tool built on the platform like Microsoft Intune, script common actions using PowerShell, or build your own application. -#### Device prerequisites +To learn more about the deployment service and the deployment process, see: -- Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **8**. +- [Prerequisites for Windows Update for Business deployment service](deployment-service-prerequisites.md) +- [Deploy feature updates using Graph Explorer](deployment-service-feature-updates.md) +- [Deploy expedited updates using Graph Explorer](deployment-service-expedited-updates.md) +- [Deploy driver and firmware updates using Graph Explorer](deployment-service-drivers.md) -#### Set the **AllowWUfBCloudProcessing** policy +### Scripting common actions using PowerShell -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. +The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). -| Policy| Sets registry key under `HKLM\Software`| -|--|--| -| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` | -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` | +### Building your own application -Following is an example of setting the policy using Intune: +Microsoft Graph makes deployment service APIs available through. Get started with the resources below: -1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) +- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) -2. Select **Devices** > **Configuration profiles** > **Create profile**. +- Windows Update for Business deployment service [sample driver deployment application](https://github.com/microsoftgraph/windowsupdates-webapplication-sample) on GitHub +- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) -3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**. +### Use Microsoft Intune -4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**. - -5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**. - - Name: **AllowWUfBCloudProcessing** - - Description: Enter a description. - - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **Integer** - - Value: **8** - -6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. - -7. In **Review + create**, review your settings, and then select **Create**. - -8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: - - `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` - -## Best practices -Follow these suggestions for the best results with the service. - -### Device onboarding - -- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). - -- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. - -### General - -Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. - - -## Next steps - -To learn more about the deployment service, try the following: +Microsoft Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see: - [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) -- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) +- [Expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates) + diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md new file mode 100644 index 0000000000..40b91b4b9f --- /dev/null +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -0,0 +1,102 @@ +--- +title: Prerequisites for the Windows Update for Business deployment service +description: Prerequisites for using the Windows Update for Business deployment service. +ms.prod: windows-client +author: mestew +ms.localizationpriority: medium +ms.author: mstewart +manager: aaroncz +ms.topic: article +ms.technology: itpro-updates +ms.date: 02/14/2023 +--- + +# Windows Update for Business deployment service prerequisites + +***(Applies to: Windows 11 & Windows 10)*** + +Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites. + +## Azure and Azure Active Directory + +- An Azure subscription with [Azure Active Directory](/azure/active-directory/) +- Devices must be Azure Active Directory-joined and meet the below OSrequirements. + - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business + +## Licensing + +Windows Update for Business deployment service requires users of the devices to have one of the following licenses: + +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) +- Windows Virtual Desktop Access E3 or E5 +- Microsoft 365 Business Premium + +## Operating systems and editions + +- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions +- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions + +Windows Update for Business deployment service supports Windows client devices on the **General Availability Channel**. + +### Windows operating system updates + +- Expediting updates requires the *Update Health Tools* on the clients. The tools are are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device: + - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. + - As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}` + +- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended + +## Diagnostic data requirements + +Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](deployment-service-drivers.md), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level (previously called *Basic*) for these features. + +When you use [Windows Update for Business reports](wufb-reports-overview.md) in conjunction with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting: + +- *Optional* level (previously *Full*) for Windows 11 devices +- *Enhanced* level for Windows 10 devices + +## Permissions + +- [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) + - Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions. + +> [!NOTE] +> Leveraging other parts of the Graph API might require additional permissions. For example, to display [device](/graph/api/resources/device) information, a minimum of [Device.Read.All](/graph/permissions-reference#device-permissions) permission is needed. + +## Required endpoints + +- Have access to the following endpoints: + +- [Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update) + - *.prod.do.dsp.mp.microsoft.com + - *.windowsupdate.com + - *.dl.delivery.mp.microsoft.com + - *.update.microsoft.com + - *.delivery.mp.microsoft.com + - tsfe.trafficshaping.dsp.mp.microsoft.com +- Windows Update for Business deployment service endpoints + + - devicelistenerprod.microsoft.com + - login.windows.net + - payloadprod*.blob.core.windows.net + +- [Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config): *(Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)* + - *.notify.windows.com + + +## Limitations + + +[!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)] + +## General tips for the deployment service + +Follow these suggestions for the best results with the service: + +- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). + +- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. + +- Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index f584bbae71..de2a896cad 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -15,10 +15,7 @@ ms.date: 12/31/2017 # Troubleshoot the Windows Update for Business deployment service -**Applies to** - -- Windows 10 -- Windows 11 +***(Applies to: Windows 11 & Windows 10)*** This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json). @@ -35,3 +32,25 @@ This troubleshooting guide addresses the most common issues that IT administrato - Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates). - **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors. + +### The device installed a newer update then the expedited update I deployed + +There are some scenarios when a deployment to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy. + +Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots. + +A more recent update is deployed when the following conditions are met: + +- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install. + +- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of: + - When the device restarts to complete installation + - When the device runs its daily scan + - When a new update becomes available + + When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update. + +While expedite update deployments will override an update deferral for the update version that's specified, they don't override deferrals that are in place for any other update version. + + +[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md new file mode 100644 index 0000000000..fda5f5a881 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md @@ -0,0 +1,63 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + +A deployment audience is a collection of devices that you want to deploy updates to. The audience needs to be created first, then members are added to the audience. Use the following steps to create a deployment audience, add members, and verify it: + +1. To create a new audience, **POST** to the [deployment audience](/graph/api/resources/windowsupdates-deploymentaudience) resource with a request body of `{}`. + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences + content-type: application/json + + {} + ``` + + The POST returns an HTTP status code of `201 Created` as a response with the following body, where `id` is the **Audience ID**: + + ```json + { + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deploymentAudiences/$entity", + "id": "d39ad1ce-0123-4567-89ab-cdef01234567", + "reportingDeviceCount": 0, + "applicableContent": [] + } + ``` + + +1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device. + + ```msgraph-interactive + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json + + { + "addMembers": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + +1. To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`: + + ```msgraph-interactive + GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members + ``` diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md new file mode 100644 index 0000000000..0ae067e62f --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md @@ -0,0 +1,45 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +You enroll devices based on the types of updates you want them to receive. Currently, you can enroll devices to receive feature updates (`feature`) or drivers (`driver`). You can enroll devices to receive updates from multiple update classifications. + +1. To enroll devices, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [enrollAssets](/graph/api/windowsupdates-updatableasset-enrollassets). The following example enrolls three devices to receive driver updates: + 1. In Graph Explorer, select **POST** from the drop-down list for the HTTP verb. + 1. Enter the following request into the URL field:
+ `https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets` + 1. In the **Request body** tab, enter the following JSON, supplying the following information: + - **Azure AD Device ID** as `id` + - Either `feature` or `driver` for the updateCategory + + ```json + { + "updateCategory": "driver", + "assets": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde1" + } + ] + } + ``` + + 1. Select the **Run query** button. The results will appear in the **Response** window. In this case, the HTTP status code of `202 Accepted`. + + :::image type="content" source="../media/7512398-deployment-enroll-asset-graph.png" alt-text="Screenshot of successfully enrolling assets through Graph Explorer." lightbox="../media/7512398-deployment-enroll-asset-graph.png" ::: diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md new file mode 100644 index 0000000000..03e32e5950 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md @@ -0,0 +1,54 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +Use the [device](/graph/api/resources/device) resource type to find clients to enroll into the deployment service. Change the query parameters to fit your specific needs. For more information, see [Use query parameters](/graph/query-parameters). + +- Displays the **AzureAD Device ID** and **Name** of all devices: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$select=deviceid,displayName + ``` + +- Displays the **AzureAD Device ID** and **Name** for devices that have a name starting with `Test`: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$filter=startswith (displayName,'Test')&$select=deviceid,displayName + ``` + + +### Add a request header for advanced queries + +For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries). + +1. In Graph Explorer, select the **Request headers** tab. +1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`. +1. Select the **Add** button. When you're finished, remove the request header by selecting the trash can icon. + + :::image type="content" source="../media/7512398-deployment-service-graph-modify-header.png" alt-text="Screenshot of the request headers tab in Graph Explorer" lightbox="../media/7512398-deployment-service-graph-modify-header.png"::: + +- Display the **Name** and **Operating system version** for the device that has `01234567-89ab-cdef-0123-456789abcdef` as the **AzureAD Device ID**: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"?$select=displayName,operatingSystemVersion` + ``` + +- To find devices that likely aren't virtual machines, filter for devices that don't have virtual machine listed as the model but do have a manufacturer listed. Display the **AzureAD Device ID**, **Name**, and **Operating system version** for each device: + + ```msgraph-interactive + GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion` + ``` + +> [!Tip] +> Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`: +> - The `deviceid` is the **Azure AD Device ID** and will be used in this article. +> - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience. +> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md new file mode 100644 index 0000000000..563163371b --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md @@ -0,0 +1,18 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +The following permissions are needed for the queries listed in this article: + +- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations. +- At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information. + +Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md new file mode 100644 index 0000000000..31b45d8227 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md @@ -0,0 +1,34 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/windowsupdates-updates?view=graph-rest-beta&preserve-view=true) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/overview). + +> [!WARNING] +> +> - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium). +> - Using a test tenant to verify the deployment process first is highly recommended. If you use a production tenant, ensure you verify which client devices you're targeting with deployments. + +1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account. +1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission: + 1. Select the **Modify permissions** tab in Graph Explorer. + 1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent. + + :::image type="content" source="../media/7512398-wufbds-graph-modify-permission.png" alt-text="Screenshot of the modify permissions tab in Graph Explorer" lightbox="../media/7512398-wufbds-graph-modify-permission.png" ::: + +1. To make requests: + 1. Select either GET, POST, PUT, PATCH, or DELETE from the drop-down list for the HTTP method. + 1. Enter the request into the URL field. The version will populate automatically based on the URL. + 1. If you need to modify the request body, edit the **Request body** tab. + 1. Select the **Run query** button. The results will appear in the **Response** window. + + > [!TIP] + > When reviewing [Microsoft Graph documentation](/graph/), you may notice example requests usually list `content-type: application/json`. Specifying `content-type` typically isn't required for Graph Explorer, but you can add it to the request by selecting the **Headers** tab and adding the `content-type` to the **Request headers** field as the **Key** and `application/json` as the **Value**. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md new file mode 100644 index 0000000000..f85f158a63 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md @@ -0,0 +1,42 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers: + +- Existing driver deployments from the service won't be offered to the device +- The device will continue to receive feature updates from the deployment service +- Drivers may start being installed from Windows Update depending on the device's configuration + +To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify: +- **Azure AD Device ID** as `id` for the device +- Either `feature` or `driver` for the updateCategory + +The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`: + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets +content-type: application/json + +{ + "updateCategory": "driver", + "assets": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + { + "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice", + "id": "01234567-89ab-cdef-0123-456789abcde0" + } + ] +} +``` diff --git a/windows/deployment/update/includes/wufb-deployment-limitations.md b/windows/deployment/update/includes/wufb-deployment-limitations.md new file mode 100644 index 0000000000..34e70ba899 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-limitations.md @@ -0,0 +1,13 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md new file mode 100644 index 0000000000..4e0d5caaff --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md @@ -0,0 +1,21 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + +## Log location for the Update Health Tools + +The Update Health Tools are used when you deploy expedited updates. In some cases, you may wish to review the logs for the Update Health Tools. + +**Log location**: `%ProgramFiles%\Microsoft Update Health Tools\Logs` + +- The logs are in `.etl` format. + - Microsoft offers [PerfView as a download on GitHub](https://github.com/Microsoft/perfview/blob/main/documentation/Downloading.md), which displays `.etl` files. + +For more information, see [Troubleshooting expedited updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-the-most-out-of-expedited-windows-quality-updates/ba-p/3659741). diff --git a/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png b/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png new file mode 100644 index 0000000000..9d0310652a Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png differ diff --git a/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png b/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png new file mode 100644 index 0000000000..44fb8ee6ab Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png differ diff --git a/windows/deployment/update/media/7512398-deployment-service-overview.png b/windows/deployment/update/media/7512398-deployment-service-overview.png new file mode 100644 index 0000000000..2e2085fb27 Binary files /dev/null and b/windows/deployment/update/media/7512398-deployment-service-overview.png differ diff --git a/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png b/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png new file mode 100644 index 0000000000..cfa73d5175 Binary files /dev/null and b/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png differ diff --git a/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png b/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png new file mode 100644 index 0000000000..261418b6ce Binary files /dev/null and b/windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png differ diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/media/wufb-do-overview.png similarity index 100% rename from windows/deployment/update/images/wufb-do-overview.png rename to windows/deployment/update/media/wufb-do-overview.png diff --git a/windows/deployment/update/media/wufbds-product-large.png b/windows/deployment/update/media/wufbds-product-large.png deleted file mode 100644 index f74c499411..0000000000 Binary files a/windows/deployment/update/media/wufbds-product-large.png and /dev/null differ diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 035a903b5a..7a74c64cb4 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -23,6 +23,8 @@ Before you begin the process of adding Windows Update for Business reports to yo - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports. - The Log Analytics workspace must be in a [supported region](#log-analytics-regions) +- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md) + ## Permissions diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 6bd8442700..12318c9c53 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -20,6 +20,7 @@ Update Event that combines the latest client-based data with the latest service- |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID | +|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | | **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. | | **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. | | **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. | @@ -29,9 +30,11 @@ Update Event that combines the latest client-based data with the latest service- | **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate | | **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | +| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. | | **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. | | **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. | | **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. | +| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). | | **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. | | **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. | @@ -40,8 +43,10 @@ Update Event that combines the latest client-based data with the latest service- | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver | | **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| | **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. | +| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | | **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | | **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media | diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index 78efd1d68b..e515e80e13 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -43,4 +43,4 @@ These alerts are activated as a result of an issue that is device-specific. It i | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver | diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index 87184d6464..8e8e34ea82 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -20,15 +20,33 @@ Update Event that comes directly from the service-side. The event has only servi |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | | **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. | -| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID | +| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment | +| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited | +| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked | | **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | | **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. | +| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created | +| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device | +| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy | | **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. | | **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. | | **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. | +| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" | | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Azure AD tenant ID | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver | +| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| +| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | +|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware | +| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device | +| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | +|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware | +| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware | diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index f00e02af9e..db70047ed0 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -42,8 +42,10 @@ Alert for both client and service updates. Contains information that needs atten | **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. | | **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. | +| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | | **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | | **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | -| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver | | **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. | +| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update| diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index c6ddd21005..279be81249 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -15,14 +15,15 @@ ms.technology: itpro-updates ***(Applies to: Windows 11 & Windows 10)*** -[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into four tab sections: +[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections: - [Summary](#summary-tab) - [Quality updates](#quality-updates-tab) - [Feature updates](#feature-updates-tab) - [Delivery Optimization](#bkmk_do) +- [Driver updates](#driver-updates-tab) -:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook with the three tabbed sections outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png"::: +:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook. The three tabbed sections are outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png"::: ## Open the Windows Update for Business reports workbook @@ -137,7 +138,40 @@ The **Device status** group for feature updates contains the following items: - **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices. - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). -## Delivery Optimization (preview tab) +## Driver updates tab + +The **Driver update** tab provides information on driver and firmware update deployments from [Windows Update for Business deployment service](deployment-service-overview.md). Generalized data is at the top of the page in tiles. The data becomes more specific as you navigate lower in this tab. The top of the driver updates tab contains tiles with the following information: + +**Devices taking driver updates**: Count of devices that are installing driver and firmware updates. +**Approved updates**: Count of approved driver updates +**Total policies**: The total number of deployment polices for driver and firmware updates from [Windows Update for Business deployment service](deployment-service-overview.md) +**Active alerts**: Count of active alerts for driver deployments + +Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +:::image type="content" source="media/7539531-wufb-reports-workbook-drivers.png" alt-text="Screenshot of the update status tab for driver updates." lightbox="media/7539531-wufb-reports-workbook-drivers.png"::: + +Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates**](#feature-updates-tab) tabs, the **Driver updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. These different chart groups allow you to easily discover trends in compliance data. + +### Update status group for drivers + +The **Update status** group for driver updates contains the following items: + +- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates. +- **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class. +- **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates. + +The **Update deployment status** table displays information about deployed driver updates for your devices. Drill-in further by selecting a value from the **TotalDevices** column to display the status of a specific driver for a specific policy along with information about the installation status for each device. + +### Device status group for driver updates + +The **Device status** group for driver updates contains the following items: + +- **Device alerts**: Count of active device alerts for driver updates in each alert classification. +- **Device compliance status**: Table containing a list of devices getting a driver update and installation information including active alerts for the devices. + - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + +## Delivery Optimization The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. @@ -154,7 +188,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. -:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: +:::image type="content" source="media/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="media/wufb-do-overview.png"::: + ## Customize the workbook diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 3c5bb1f346..92e00968e2 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -91,7 +91,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). +- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). There are two automated deployment ring remediation functions: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index 4d8d128f89..eae276feaa 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -71,7 +71,12 @@ Windows Autopatch uses Microsoft Intune’s built-in solution, which uses config Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. -## Pausing and resuming a release +## Release management + +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + +### Pausing and resuming a release > [!CAUTION] > It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index c2ad146ec6..7ab913eb2c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -54,6 +54,9 @@ Windows Autopatch configures these policies differently across deployment rings ## Release management +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + In the Release management blade, you can: - Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings). diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index f1b885b970..c1b07ce9d8 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier1" + ], "audience": "ITPro", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index 768b1e3c3f..2edd15d942 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -1,7 +1,6 @@ --- title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows -search.appverid: MET150 author: paolomatarazzo ms.author: paoloma manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: conceptual ms.date: 09/07/2021 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: skhadeer, raverma --- diff --git a/windows/security/docfx.json b/windows/security/docfx.json index bb2804df03..ceef5206ad 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.localizationpriority": "medium", diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 0a6ef16c6e..ce118ce681 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -27,14 +27,12 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which ## Azure AD Kerberos and cloud Kerberos trust authentication -*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\ -For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices. +*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. -*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs. +Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\ +With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. -With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. - -When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: +When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers - Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object @@ -45,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). > [!IMPORTANT] -> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. +> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. ## Prerequisites @@ -73,9 +71,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud ## Deployment steps -Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps: +Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: -1. Set up *Azure AD Kerberos* +1. Set up Azure AD Kerberos 1. Configure a Windows Hello for Business policy and deploy it to the devices ### Deploy Azure AD Kerberos @@ -86,7 +84,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl ### Configure Windows Hello for Business policy -After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). +After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -116,7 +114,7 @@ Windows Hello for Business settings are also available in the settings catalog. ### Configure cloud Kerberos trust policy -To configure the *cloud Kerberos trust* policy, follow the steps below: +To configure the cloud Kerberos trust policy, follow the steps below: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. @@ -156,7 +154,7 @@ You can also create a Group Policy Central Store and copy them their respective #### Create the Windows Hello for Business group policy object -You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO). +You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory 1. Edit the Group Policy object from Step 1 @@ -168,7 +166,7 @@ You can configure Windows devices to enable *Windows Hello for Business cloud Ke --- > [!IMPORTANT] -> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*. +> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*. ## Provision Windows Hello for Business @@ -196,11 +194,11 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell ### Sign-in -Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. +Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. ## Migrate from key trust deployment model to cloud Kerberos trust -If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps: +If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) @@ -209,14 +207,14 @@ If you deployed Windows Hello for Business using the *key trust model*, and want > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. > -> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails. +> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. ## Migrate from certificate trust deployment model to cloud Kerberos trust > [!IMPORTANT] -> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. +> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. -If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps: +If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: 1. Disable the certificate trust policy 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index eb1922b3a8..2876ab9e18 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -156,6 +156,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b86eb930d8..93dc998a8a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. > [!NOTE] -> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users: +> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users: > - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). > - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 34b14b5105..ef5a4ad22d 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -35,13 +35,13 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. -It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match. +It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match. ## What happens when PCR banks are switched? When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs. -As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. +As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. ## What can I do to switch PCRs when BitLocker is already active? @@ -49,7 +49,7 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y ## How can I identify which PCR bank is being used? -A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. +A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
- DWORD: TPMActivePCRBanks
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index f9355db522..cacb1ef857 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -68,6 +68,8 @@ href: wdac-wizard-create-supplemental-policy.md - name: Editing a WDAC policy with the Wizard href: wdac-wizard-editing-policy.md + - name: Creating WDAC Policy Rules from WDAC Events + href: wdac-wizard-parsing-event-logs.md - name: Merging multiple WDAC policies with the Wizard href: wdac-wizard-merging-policies.md - name: WDAC deployment guide diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png new file mode 100644 index 0000000000..841b3104fe Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png new file mode 100644 index 0000000000..75fd7c7798 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png new file mode 100644 index 0000000000..50dcbf7715 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png new file mode 100644 index 0000000000..f0e2056bcc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png new file mode 100644 index 0000000000..ef32ad6c9a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png new file mode 100644 index 0000000000..09e857e82e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png new file mode 100644 index 0000000000..5b3de97aff Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png new file mode 100644 index 0000000000..ee1af12b3d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png new file mode 100644 index 0000000000..5ae44b24cd Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png new file mode 100644 index 0000000000..4fd2a0813f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index fc266be640..e0b383d280 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -15,7 +15,7 @@ author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 11/01/2022 +ms.date: 02/08/2023 ms.technology: itpro-security ms.topic: article --- @@ -72,7 +72,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- ```xml - 10.0.25210.0 + 10.0.25290.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -201,6 +201,56 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -229,11 +279,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + @@ -413,18 +468,44 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -557,6 +638,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + @@ -713,16 +800,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - @@ -745,37 +822,54 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + - - - - + - + + + + + + + - @@ -785,7 +879,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -797,70 +891,47 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - + + + - + - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -868,14 +939,232 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -885,17 +1174,139 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - + + + + - - + + + + - - + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -927,36 +1338,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -972,24 +1353,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - @@ -998,394 +1361,184 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1393,38 +1546,69 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + + + + + + + - + + + + + + + + + + + + - + + + + + + @@ -1433,58 +1617,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - + @@ -1495,675 +1647,776 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + @@ -2179,7 +2432,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.25210.0 + 10.0.25290.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b4c9fd2969..73c7ef9d1e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: jgeurten -ms.reviewer: isbrahm +ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.topic: conceptual diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md new file mode 100644 index 0000000000..c89baad871 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md @@ -0,0 +1,141 @@ +--- +title: Windows Defender Application Control Wizard WDAC Event Parsing +description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events. +keywords: WDAC event parsing, allow listing, block listing, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: windows-client +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: jgeurten +ms.reviewer: jsuther1974 +ms.author: vinpa +manager: aaroncz +ms.topic: conceptual +ms.date: 02/01/2023 +ms.technology: itpro-security +--- + +# Creating WDAC Policy Rules from WDAC Events in the Wizard + +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). + +As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types: + +1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing) +2. [Exported WDAC events (EVTX files) from any system](#wdac-event-log-file-parsing) +3. [Exported WDAC events from MDE Advanced Hunting](#mde-advanced-hunting-wdac-event-parsing) + + +## WDAC Event Viewer Log Parsing + +To create rules from the WDAC event logs on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header. + + The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png) + +4. Select the Next button to view the audit and block events and create rules. +5. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## WDAC Event Log File Parsing + +To create rules from the WDAC `.EVTX` event logs files on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header. +4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png) + +5. Select the Next button to view the audit and block events and create rules. +6. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## MDE Advanced Hunting WDAC Event Parsing + +To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md): + +1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: + + ```KQL + | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName + ``` + + The following Advanced Hunting query is recommended: + + ```KQL + DeviceEvents + // Take only WDAC events + | where ActionType startswith 'AppControlCodeIntegrity' + // SigningInfo Fields + | extend IssuerName = parsejson(AdditionalFields).IssuerName + | extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash + | extend PublisherName = parsejson(AdditionalFields).PublisherName + | extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash + // Audit/Block Fields + | extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash + | extend PolicyId = parsejson(AdditionalFields).PolicyID + | extend PolicyName = parsejson(AdditionalFields).PolicyName + // Keep only required fields for the WDAC Wizard + | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName + ``` + +2. Export the WDAC event results by selecting the **Export** button in the results view. + + > [!div class="mx-imgBorder"] + > [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png) + +3. Select **Policy Editor** from the WDAC Wizard main page. +4. Select **Convert Event Log to a WDAC Policy**. +5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. +6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) + +7. Select the Next button to view the audit and block events and create rules. +8. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## Creating Policy Rules from the Events + +On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. + +To create a rule and add it to the WDAC policy: + +1. Select an audit or block event in the table by selecting the row of interest. +2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules. +3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type. +4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. + + > [!div class="mx-imgBorder"] + > [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png) + +5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. + +> [!WARNING] +> It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens. + + +## Up next + +- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md) diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 5d976ff196..ecb03506c1 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -2,13 +2,13 @@ title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. ms.prod: windows-client -ms.author: paoloma -author: paolomatarazzo +ms.author: sushmanemali +author: s4sush manager: aaroncz ms.topic: article ms.localizationpriority: medium ms.date: 11/4/2022 -ms.reviewer: +ms.reviewer: paoloma ms.technology: itpro-security --- @@ -24,12 +24,16 @@ The product releases below are currently certified against the cited *Protection - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. +### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge -
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients -
- Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) +- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf) +- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf) +- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf) +- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf) + +### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients @@ -38,10 +42,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf) -
- -
- Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V +### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. @@ -50,10 +51,7 @@ Certified against the Protection Profile for Virtualization, including the Exten - [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf) - [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1909, Windows Server, version 1909 +### Windows 10, version 1909, Windows Server, version 1909 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. @@ -62,10 +60,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1903, Windows Server, version 1903 +### Windows 10, version 1903, Windows Server, version 1903 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -74,10 +69,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1809, Windows Server, version 1809 +### Windows 10, version 1809, Windows Server, version 1809 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -86,10 +78,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1803, Windows Server, version 1803 +### Windows 10, version 1803, Windows Server, version 1803 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -98,10 +87,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1709, Windows Server, version 1709 +### Windows 10, version 1709, Windows Server, version 1709 Certified against the Protection Profile for General Purpose Operating Systems. @@ -110,10 +96,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1703, Windows Server, version 1703 +### Windows 10, version 1703, Windows Server, version 1703 Certified against the Protection Profile for General Purpose Operating Systems. @@ -122,10 +105,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for General Purpose Operating Systems. @@ -134,10 +114,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1507, Windows Server 2012 R2 +### Windows 10, version 1507, Windows Server 2012 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -146,8 +123,6 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf) -
- ## Archived certified products The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1): @@ -156,12 +131,7 @@ The product releases below were certified against the cited *Protection Profile* - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. - - -
-
- Windows Server 2016, Windows Server 2012 R2, Windows 10 +### Windows Server 2016, Windows Server 2012 R2, Windows 10 Certified against the Protection Profile for Server Virtualization. @@ -170,10 +140,7 @@ Certified against the Protection Profile for Server Virtualization. - [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1607, Windows 10 Mobile, version 1607 +### Windows 10, version 1607, Windows 10 Mobile, version 1607 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -182,10 +149,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -194,10 +158,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1511 +### Windows 10, version 1511 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -206,10 +167,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1507, Windows 10 Mobile, version 1507 +### Windows 10, version 1507, Windows 10 Mobile, version 1507 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -218,10 +176,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 10, version 1507 +### Windows 10, version 1507 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -230,10 +185,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
- -
- Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 +### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -241,10 +193,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf) -
- -
- Surface Pro 3, Windows 8.1 +### Surface Pro 3, Windows 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -252,10 +201,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf) -
- -
- Windows 8.1, Windows Phone 8.1 +### Windows 8.1, Windows Phone 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -263,10 +209,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf) -
- -
- Windows 8, Windows Server 2012 +### Windows 8, Windows Server 2012 Certified against the Protection Profile for General Purpose Operating Systems. @@ -274,10 +217,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf) -
- -
- Windows 8, Windows RT +### Windows 8, Windows RT Certified against the Protection Profile for General Purpose Operating Systems. @@ -285,10 +225,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf) -
- -
- Windows 8, Windows Server 2012 BitLocker +### Windows 8, Windows Server 2012 BitLocker Certified against the Protection Profile for Full Disk Encryption. @@ -296,10 +233,7 @@ Certified against the Protection Profile for Full Disk Encryption. - [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) -
- -
- Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client +### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -307,10 +241,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) -
- -
- Windows 7, Windows Server 2008 R2 +### Windows 7, Windows Server 2008 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -318,46 +249,31 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) -
- -
- Microsoft Windows Server 2008 R2 Hyper-V Role +### Microsoft Windows Server 2008 R2 Hyper-V Role - [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305) - [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) -
- -
- Windows Vista, Windows Server 2008 at EAL4+ +### Windows Vista, Windows Server 2008 at EAL4+ - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) -
- -
- Windows Vista, Windows Server 2008 at EAL1 +### Windows Vista, Windows Server 2008 at EAL1 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) -
- -
- Microsoft Windows Server 2008 Hyper-V Role +### Microsoft Windows Server 2008 Hyper-V Role - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) - [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf) -
- -
- Windows Server 2003 Certificate Server +### Windows Server 2003 Certificate Server - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) @@ -366,12 +282,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) -
- -
- Windows Rights Management Services +### Windows Rights Management Services - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) - -
\ No newline at end of file diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index d432c8a8ff..0e145097a8 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -31,5 +31,7 @@ href: feature-lifecycle.md - name: Deprecated Windows features href: deprecated-features.md + - name: Resources for deprecated features + href: deprecated-features-resources.md - name: Removed Windows features href: removed-features.md \ No newline at end of file diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md new file mode 100644 index 0000000000..e2f67c9051 --- /dev/null +++ b/windows/whats-new/deprecated-features-resources.md @@ -0,0 +1,73 @@ +--- +title: Resources for deprecated features in the Windows client +description: Resources and details for deprecated features in the Windows Client. +ms.date: 02/14/2023 +ms.prod: windows-client +ms.technology: itpro-fundamentals +ms.localizationpriority: medium +author: mestew +ms.author: mstewart +manager: aaroncz +ms.reviewer: +ms.topic: reference +--- + +# Resources for deprecated features + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features: + +## Microsoft Support Diagnostic Tool resources + +The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters). + +If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change will allow you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require additional assistance. + +### Redirected MSDT troubleshooters + +The following troubleshooters will automatically be redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**: + +- Background Intelligent Transfer Service (BITS) +- Bluetooth +- Camera +- Internet Connections +- Network Adapter +- Playing Audio +- Printer +- Program Compatibility Troubleshooter +- Recording Audio +- Video Playback +- Windows Network Diagnostics +- Windows Media Player DVD +- Windows Media Player Library +- Windows Media Player Settings +- Windows Update + +### Retired MSDT troubleshooters + +The following troubleshooters will be removed in a future release of Windows: + +- Connection to a Workplace using DirectAccess +- Devices and Printers +- Hardware and Devices +- HomeGroup +- Incoming Connections +- Internet Explorer Performance +- Internet Explorer Safety +- Keyboard +- Power +- Search and Indexing +- Speech +- System Maintenance +- Shared Folders +- Windows Store Apps + +## Next steps + +- [Windows feature lifecycle](feature-lifecycle.md) +- [Deprecated Windows features](deprecated-features.md) +- [Removed Windows features](removed-features.md) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 3c58ebfc65..c32948df18 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | +| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | | Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.

Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | | Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022| | Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 19bd51f371..bd292f17c7 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article",