The root node. +The root node. -
Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -
Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -
Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -
Specifies the update GUID. +Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -
Supported operations are Get and Add. +Supported operations are Get and Add. -
Sample syncml:
+Sample syncml:
```
Specifies the time the update gets approved. +Specifies the time the update gets approved. -
Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -
Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -
The update failure error code. +The update failure error code. -
Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -
Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -
Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -
The updates that are installed on the device. +The updates that are installed on the device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -
UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -
Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -
The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -
The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -
The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -
Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -
The time the update is installed. +The time the update is installed. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -
The last successful scan time. +The last successful scan time. -
Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -
Upgrades deferred until the next period. +Upgrades deferred until the next period. -
Supported operation is Get.
+Supported operation is Get.
**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 8ad4658ea1..f94f31723e 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -14,7 +14,7 @@ ms.collection:
appliesto:
- ✅ Windows 10
- ✅ Windows 11
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Deploy Windows Enterprise licenses
@@ -306,6 +306,6 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster.
Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 2ab8313425..a0eb436b76 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.prod: windows-client
author: frankroj
ms.author: frankroj
-ms.date: 11/23/2022
+ms.date: 11/16/2023
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@@ -12,19 +12,18 @@ ms.collection:
- highpri
- tier2
ms.technology: itpro-deploy
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# MBR2GPT.EXE
-*Applies to:*
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
-- Windows 10
+**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows.
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
-
-MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
-
-The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+The tool is available in both the full OS environment and Windows PE.
See the following video for a detailed description and demonstration of MBR2GPT.
@@ -33,13 +32,13 @@ See the following video for a detailed description and demonstration of MBR2GPT.
You can use MBR2GPT to:
- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
+- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
> [!IMPORTANT]
+>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
> Make sure that your device supports UEFI before attempting to convert the disk.
@@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
- The disk doesn't have any extended/logical partition
- The BCD store on the system partition contains a default OS entry pointing to an OS partition
- The volume IDs can be retrieved for each volume that has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option
-If any of these checks fails, the conversion won't proceed, and an error will be returned.
+If any of these checks fails, the conversion doesn't proceed, and an error is returned.
## Syntax
@@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be
|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|**/disk:*\
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
## Examples
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+ - A system reserved partition.
+ - A Windows partition.
+ - A recovery partition.
+ - A DVD-ROM is also present as volume 0.
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 840ea3d5a7..05c5f63d80 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -9,9 +9,8 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/16/2023
---
# Configure BranchCache for Windows client updates
@@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+> [!Note]
+> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11.
## Configure servers for BranchCache
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index df89fc602d..aefcd10aa4 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Configure VDA for Windows subscription activation
@@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running a supported version of Windows Pro edition.
- VMs must be joined to Active Directory or Microsoft Entra ID.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
## Activation
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 40769fc671..11b304e822 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
> [!IMPORTANT]
> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
- > [!NOTE]
- > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
If you have a PC available to convert to VM (computer 2):
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 6b8718bf68..b5fc8eb923 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -39,7 +39,15 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
@@ -239,7 +247,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index eb2f5d26d5..e41d8e60f4 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -1,7 +1,7 @@
---
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 09/16/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index e68ee4d6bd..71b96ec441 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index 3b72dc6d90..fe9d6b3321 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -1,7 +1,7 @@
---
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
-ms.date: 05/15/2023
+ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 690e61a507..20c341551a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a support request
description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
-ms.date: 01/06/2023
+ms.date: 09/06/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 043db6fb77..0e481d7a66 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 03/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 6588ea5a13..bc26753af7 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
-ms.date: 01/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 8acdf328e5..f7a2045294 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
-ms.date: 01/12/2023
+ms.date: 09/12/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index b0df16842e..7cb1b4a4d5 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 04/24/2023
+ms.date: 09/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
index 9ece385c03..e72d9e8042 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
@@ -1,7 +1,7 @@
---
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
-ms.date: 12/02/2022
+ms.date: 09/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 24650e3a33..1e7b26a9c9 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 10/27/2023
+ms.date: 11/16/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## November 2023
+
+## November service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance |
+
## October 2023
### October feature releases or updates
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index 38961897cb..313b641bca 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 09/25/2023
+ms.date: 11/02/2023
ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
@@ -37,43 +37,51 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
## Configure Enhanced Phishing Protection for your organization
-Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP.
+
+| Setting | Description |
+|--|--|
+| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-For new, manually created, domain or local user accounts typical flags are:
-
-- Account Disabled
-
-- 'Password Not Required' - Enabled
-
-- 'Normal Account' – Enabled
-
- After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags:
-
-- 'Password Not Required' – Disabled
-
-- Account Enabled
-
-
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 61cd4e80e6..be3bf1a1e5 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -192,39 +192,9 @@ Typical **Primary Group** values for user accounts:
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
-
-To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index a245d7e5ce..e26b0c96b3 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -170,69 +170,9 @@ Typically, **Primary Group** field for new computer accounts has the following v
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|---|---|---|---|---|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-> Table 7. User’s or Computer’s account UAC flags.
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `