From 5a80ed449f64a8888457630c5d05bc4b740115a1 Mon Sep 17 00:00:00 2001 From: Kofl Date: Sat, 14 Jan 2023 20:00:35 +0100 Subject: [PATCH 001/101] Update mcc-enterprise-deploy.md fixed typo Set- VMProcessor ... => Set-VMProcessor --- windows/deployment/do/mcc-enterprise-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index c39e4b5a84..76b5333ac9 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -163,7 +163,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p 1. Enable nested virtualization: ```powershell - Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true + Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true ``` 1. Enable MAC spoofing: From 0c92b0383a33af6bba22e24aa62458d9c15c5390 Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Thu, 16 Feb 2023 18:59:59 +0530 Subject: [PATCH 002/101] Update windows-10-subscription-activation.md made changes to the note as Excluded Cloud Apps are configured in Conditional Access policies, not in a compliance policy Fixes#https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11335 --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 4f8562a41b..ce623eb63a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their conditional access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From 1bfa003cfd6472f59fe78aafe2b0f965a98bfd5b Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Thu, 16 Feb 2023 20:15:21 +0530 Subject: [PATCH 003/101] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index ce623eb63a..c65896f125 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their conditional access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From b02de9f2302c82182a784183ce4cc3b7dda1fabe Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 6 Mar 2023 17:02:12 -0500 Subject: [PATCH 004/101] Refresh quick assist article --- windows/client-management/quick-assist.md | 50 +++++++++++------------ 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 8dab751eb2..c4f89271af 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -1,6 +1,6 @@ --- title: Use Quick Assist to help users -description: How IT Pros can use Quick Assist to help users. +description: Learn how IT Pros can use Quick Assist to help users. ms.prod: windows-client ms.topic: article ms.technology: itpro-manage @@ -12,7 +12,7 @@ ms.reviewer: pmadrigal ms.collection: - highpri - tier1 -ms.date: 08/26/2022 +ms.date: 03/06/2023 --- # Use Quick Assist to help users @@ -82,9 +82,10 @@ Microsoft logs a small amount of session data to monitor the health of the Quick - Features used inside the app such as view only, annotation, and session pause -No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session. - -The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days. +> [!NOTE] +> No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session. +> +> The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days. In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. @@ -92,22 +93,16 @@ In some scenarios, the helper does require the sharer to respond to application Either the support staff or a user can start a Quick Assist session. -1. Support staff ("helper") starts Quick Assist in any of a few ways: - - - Type *Quick Assist* in the search box and press ENTER. - - Press **CTRL** + **Windows** + **Q** - - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**. - - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**. - -2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. - -3. Helper shares the security code with the user over the phone or with a messaging system. - -4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. - -5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**. - -6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. +1. Support staff ("helper") and the user ("sharer") can start Quick Assist in any of a few ways: + - Type *Quick Assist* in the Windows search and press ENTER. + - Press **CTRL** + **Windows** + **Q**. + - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then select **Quick Assist**. + - For **Windows 11** users, from the Start menu, select **All Apps**, and then select **Quick Assist**. +1. In the **Help someone** section, the helper selects the **Help someone** button. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. +1. Helper shares the security code with the user over the phone or with a messaging system. +1. The sharer enters the provided code in the **Security code from assistant** box under the **Get help** section, and then selects **Submit**. +1. The sharer receives a dialog asking for permission to allow screen sharing. The sharer gives permission by selecting the **Allow** button and the screen sharing session is established. +1. After the screen sharing session is established, the helper can optionally request control of the sharer's screen by selecting **Request control**. The sharer then receives a dialog asking them if they want to **Allow** or **Deny** the request for control. ## Install Quick Assist @@ -143,15 +138,16 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. 1. Start **Windows PowerShell** with Administrative privileges. -1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD <*location of package file*>) -1. Run the following command to install Quick Assist:
*Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"* -1. After Quick Assist has installed, run this command:
_Get-appxpackage \*QuickAssist* -alluser_ - -After running the command, you'll see Quick Assist 2.X is installed for the user. +1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd ` +1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"` +1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers` ## Microsoft Edge WebView2 -The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately. +The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function. + +- For Windows 11 users, this runtime control is built in. +- For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately. For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution) From 9b0507a9a753dcf242e87304a4cd2459a35a411c Mon Sep 17 00:00:00 2001 From: Amy Zhou Date: Tue, 7 Mar 2023 16:29:33 -0800 Subject: [PATCH 005/101] added migration instructions --- .../do/images/mcc-isp-migration.png | Bin 0 -> 35234 bytes windows/deployment/do/mcc-isp.md | 32 ++++++++++++------ 2 files changed, 21 insertions(+), 11 deletions(-) create mode 100644 windows/deployment/do/images/mcc-isp-migration.png diff --git a/windows/deployment/do/images/mcc-isp-migration.png b/windows/deployment/do/images/mcc-isp-migration.png new file mode 100644 index 0000000000000000000000000000000000000000..50990a846662804a2aec4dee7483e9653cbeeb1e GIT binary patch literal 35234 zcmce;cTkgEw>BR2L2Q5xc<3Sm(v?u8gMvs$s&tiJBfTd)peWKyfPfU~9qAAVvC=}X zQbIro5W0{MAnl9qd(J;+=FE5IcjosE!`#_>?tAyW)?Vwn){Zka)MmQGc?kdjFzGze zGywq4$pQdpuU$A#&+#uy51~KK_?u`y1k??43`wGiajjpp}(=AU2M==`|y z@b{%BKQ7zfqxriG5Bj?tEL^{yrlSgS5b!VXA09khjadHxE4OUAO>Y?Bs_9!8nz|j`9#I+Nes*;<@8b$`U1>)CmW_dvu2jXFyrlvfW>9DPWPFa8WxM1 zxCkkeRx9U4R||R}BJG(z&&t=8{MKbai*Kq1k2jc+PP(NkfAi)^k9oOV`y)q0d3N@s}sx%SQ_0ZjgB>* zEEHBF?>`E~LM>P8A(ZOv*{1Ts&%ajqXzlo|86#$;8VV;Q>A|lH3TxSpB_K?(P zgG6#i;>SF^a><*GI*m0?MrHfVk9>oXn2KQPu3!TM@Hc=o2Mvq&KB z01s;}%l^S?_JN7;!GJ#BgJk*IR9aVI0qkfTzDJbrZ&s-OuJGI?_DV|HfCFmi24k*! zeAV4L>!5VD%3T*eI$(biIfyHuduEOyHE@-BB zX>|-I>#^Gp;7p$#kXb_qmzmSA_nqYNOq{DKZFig5|9O^j%XYZm(EFi9*_@$|PxK_W zKxv2d-MyC|8g)ElBd>dLs1zpSl^P1T`IBnkryf@A)Ibj923;zKrqgNsXVtS9T zMSl!Y^-jyV`ji&YWPY2yR8Q)TkQFlclP#G7^^0uvQwC5r%tK!i zK-gJi^>6#$C%^PoRxfK&RzK?*>3tKhajNgW9iAt?Zf_y#p#1xWPZ&%1p?e1x(CRulgk#gQ(9`I_JsLIsa@eFyR*7{Qs z;N&-O*KOqY_VtqnzEQlzKVJ{#;a=+J0P2=(f63M(j&kNr9%TV@u42G&LmB2J1qrlPJ5UcNHS2`M#OJaVEE=69Sgopb(5-W&M4O}IoLnA)4{!wD|ujJ zQG>qa=xZfIltJ>6DC}m54wIwQzP)PWx0(_h8z*8AR64e~_B#0^HnQ@~fM;al!adI- z!uVBl=F>O)oBnN`KUy#cOnFqB#2=lXK1|uG*hS066IufgQKhETR37-V1lY_q3t;<p zvFA@uvm7`m6v`<>Z5LUorNLc;QL3h}$rI$>Y21MUG^^&HMDY2?*x+#jvCq_I;?D$i zPW`45k$T_kfxzW*K0l@q=afp5#m7~HnGOnz;huBV;D;E? znc+y2(0=(+7f(iu0nBltEwJI?E-7ANw{z{;yvJ(pDe$mU_{YWZlCCD355l{t1976p z1Li@sSO@vT%)UsY2O6QB*iQtV4x`9jNpje(r)$=woPoiAkN@CJ{26tl>wn3fV`L7% zTsnWNGk7tyH&WpFk))f=_lu(J-&XO!K{v5&%P*t*A~XH<(`0+rNfL3 zT{$ylw;Br*tojP^Ok8lCI>hH~R(F>tRg2M1Yc0hJQkX=&A?-A_j%_~tr9ISI0WCaN z%p#_o>;NM&fVzCOmPzh4)GR#eZ$nP83HG{xLqyP!w>0S2y?PWzDc2d-21+9w+3geL z`==~mcFHt4s~r%r<+aRosdcMN`;pE!Ch8-~IVb#}&1x{@-ntvuWaz0q+=#leb{1TY zoyz-l%=+`=rnS3sjD7B*&)Cdo({gC8=kr9e*W7+#uG30h8{>Q;!a}M(%fWV8Z6qTF zl^J$8Jw0s6Z{@QEqPB`t;$g-!BVDYX3*MIX?S_)Pjar+V^Y^3PyLAzntsEjc$lKt( z9P|>>-542rTJgf9N==I3GRwD{RWL*@3g$Jx+K87sz3|yvQ zBU&50K*^S82B?@_o&50X>&3JucNW@Sp6Sy^-dXzTm<&~olxDmH5AVRVn2ubz>%*MOjGgq@!|h!&Q3MRv_Nx zPU-RYf27r!emF{IZB^I2&-U)a9-ub2N>=&s@NXqf)R!m2Fc(UULju<;&8J2!}L z!gJ;pS%fZ)uXSl(k;t;~fqB>c^E%<=XauX|IM|3V>Q5gDE7r!(pcn@}7gM&nlevMT zx$>VQ^Zc1bYl*e@N0^w}pMhHsNYW>RuRFbe4eDV}!$Ik&F8N=-Y&eFnqnq4a0*E#R}B!Q&*`Z6x5uA>R)~(bS3Wq2hjafIaE>#PU%$yV>Se*>J`e zHM*R@z$9bN&{8t2+G;YkMhI-E3BA=}@#I!EBT@(X*ZkUH#Y%@R2As1N-qjNSlX<8>;G#IG7xiyyA4F76eM;NAX zTM9{TyuvBdr|)df2vB@@H|zvot|r0C%IZfq6b5{IdDf{(alCjIzF0{4QzPy3P2XAV z%Ff%|!{~R`1Ok~|WG&0EV_#}=;t=^m`5=~7d<5_ttG(KuA5dP{Gt$OQZ8|Dxrh4Xu z-}e4f6I7e{O!3LYTYjizUW<-mc_Zy!n?G>}RMNu0;Hw zvZ^Nx=9N22i1(#=1xEQL!_UrJSsRY`HuEjD#$KAR)A5Bkt7W~0TMSlsc@G>EH^N#J z_O6{fA3)BX-fnj3TuVBBCNu7?_T!PjKT)7P$Hq_FwhFYy>e7R^!F`d)iIIk#479ZR zX$$;~Y+C@wmFaRpU?49=YdA^&3Rl^&76r! z8ZFXUGc7pHh@g=$Sq0=(VZSd7?Cm478+CG#s%wn$h}BQYJj+8(vERZ;tlQsK9kpL) z5pe$Pc)9r_#cfBw<7?V|%WtbgH#gvlbw_s*YC-KvQuF)wTN>NybOZLTpwy1;2k)P| zPwBi(?b^6nQylv(I%Mfy3kFYq-eLVQOQsY0(?xcA>t0Jf?!adQ6EmdZ45$Mbd zs$CFt#%zBa5TMMO0Va7^O&xbDvRv#q4sUB8sU$Cp5Uj#WtR?r{k;roZw0eBuP;|h(qJ!<>rnd>GsqXEQ90$p;e<0k!Fj>stp-cHXW6UCpVumEd zZh8-SSmw3ZWd$a$@S(ih&_bO-Eq|8#X0X6D_pX+refhhU@4ah7?H>(OTE$O~{^9@+ zsN-CHULp&Y4XNr|h9o^HEUs?KA}BtZ`bC4H9@zQ?a)I>x=1At&;NdOOCMY9!nzYA$ zS?`KYo3Yansk(Ep38?G)RnGzfiGEjQg6&&q&%1|mnI&x-Su%Ck}utY|?Dr3@#*0wa#>d+F?%i77~ z!pR(V_AAsLmeo^GLSTXE@BDvI0W~q{-9AB8ht7|SYdq^h+)_Et0d7`l85fIT#4PIq z#C%Q-jNrE!Zy7)y<6R#?3|oEBn}%;c*hn@F=5{T-T|`Dg#Yc{mBs&W-u=2TWFa@Ov zkjmzS@P!21a8E(#a>F~Y1NG(p!uK_$tedtXKG4N)*hA{&zc%+!vw}5DfpI zXw|k_%I-L;^vmW1x#HZtnp6UZ{gbv(tjaHToBk(gQuzPz**OxcP$O)O`r? zdC&9m!2MIjkL8s(mdU6D9CMe^ITN=67}MThH)2l zaUQ{L`15E{m{`-#z5OAe2w5s%q;l{xm_=}xz^SGpr(D@;gIxCysoY=7 z4p;KCI`)Q@qyuEl4)+kfw*D76l;BMdjREiK*))b)z2{d?)(e8gyaA09wK5RuVF8f* ze20F3ID9F>BwB4WFmAPiCC6FnV2yT-p?GWJm(>BQ8(8vqwG&Rr^rPOLLC;)h>^!!2 zD|mp!h>sZ*u{z#)KX?YElcjeexTX#_iRgzm?k^7g+UUf4xYg9B4!p-FGqnyqKM9-t ztKKAN>3+v@W3{t8g>4pLGgD%IY9Huycy9AS7TO8?x`7AJD|QHeRTB0!lWDKQZ73~!F=H*aTH1YImA9)4Z+ga%?PjL1F+ium_`c+UWR&*oau(-|C8G+xF zt{j|Z-Cht|^_y@W?1+rjr;LO<9k$vv8nORS3M2Kd4%7WMBs0XI+>2@C35u7iIwDPoEVS?T!Pnb5?e`Pu{g+YgLL$=+NvA z>__Ug{=9QP%xm;(^U1ou)5ree!$BTtq67HmU*5HucMsqXM2B-Ytq56>yRP2l^aGpc zxY{QU=e7eC--0>AtYF<;vR(e6%Gv=wF{vDK$I_rv$3kW0bzKM7AWH0fgmKo(i@i+9m*iu4`CEdT_aB5h`z;?!p(;{EBX0-|s5#Up9cC>t{Md0E z^y=946mqai=s1$=0C#od){AE81;PUsg{zi)5>L(ynMy(nD9Q^GKKp{0R4Z!7SgkWP zsH!GQZOq68{XBomou7XK@+vPOD4ozPQ`ezG4K2F#Y=o1)xMy>xK9dhaDcK%aaFlHN z<=5f)$2}7gWlJmk<=E&kYp~nW_-a&L%dO-L8u^s3J|2rk&QL zmK%PMxLoEOnoUa(TW$1RQ^sYvWh)!z90|B@s68qp)hmE%KV}U$(KuSrB32=@9lNeO zo*qaDw~CFBtLlkpHn*4{_*IdEOyS{u-z4P?Wa2%s$YKFXxYKfT9L{q%GRcrZ z#-ZELr$d#)r<4J3vxF{|9Ih1dbup%3?)P%9bVuASraEL;iGih%HokebLA$Rwls|8- z`Aq^il=1O?4b){M7N@(u59u@j|E|B`)Q+sP1|5GFwW^)w$lOWPN4)J{EoJH3eA85l zzp^!CfFSip0ec3VEe+k?>Uyhj03nGrcBgh7$Edi`+@Gg;51z#qgm(;f?sSe%E4sK) zN>(vzwQYh8C@n~_&NgogGt{N<}RJ$ta*<$bul~wf| zKO-IKmel6U>L7}2ha`%(zpS~UHdY0;UJuY{#dP$$^!;euXfx`w6Xo+cnQNH?dmvAh ztGdX$BpslsJ6)8;Tv`AV<{butb>Egx%u4YWmxs&*`R-rS?ORG8s;Dlojc5|x5^>0Q z?I83fLg>JRL|LZ)RpAq0Cwf+)k4zeoH-;}8y5!|PfecRu#id`m@CZ-*2fhZDrI~Q3 zOrCz&+*(VxDDAn-*#U9Kv(5ve9uho~WcoK8bZKo6lDtl-32aaO+$$Vk73E|EBI($Z z(9io5(C0}>T&KGPHzgsb3|GX=jd4SafI?#lYY)6wcDYf3WSr)D&@%uW4vJXe@}q12 z8>0Y5=O*%R5gJF?7wK#@6+o1n+qFqIfyW6cxjt~6VWmA~+1TI1=K_~%GanF`)~v5Q5&)YJsy>B zsOB%{)R(fP?M_IpI@>qYvEyO25n->}lMG!o_7`|gWUI7m(#$-Tl1+JS+xjvwq8AeR z005{>k*)Ymcav-H0zOaBeYA(?Dgl?4&9eGSoNWfp&LbH0`pFIhMR7PjRt7+!?7?|D z8p53rnMl+b@@{DaPx$}p%Aqn9f`x^gezxm5PviBRLw4JO&jC_y{0EM*^3NZjJi(SJ20y zaql^HzNGe(vu-B&b#h>=?Fodj{~Sk>_j-7th?2oNHa0B%@HhKF;c1q$Q#>0my|qTd zJ?zB$dPa5&t!DlAWy|;EIj_SGF@&dj{8~BCW{=*hQ3S3~2+5vnX>L2y1(GV2mph6x*s#@C;wWyRB3^_5%9ZHK@)b2ngsqKL3yFx|+T@)j2 zZH@@6q~n~t)_2DCMGMXIz2N4P@-NN2ZR3T>*SLYbjZdrt;OK+PJM-83^&TKBW;ZC- z*zHX1SU=EHIR%^yEOJ#b`AdWtOYH+jdc!_{@gU5P^njPIgdVw52K$3Lh+ndtSFNn9 z6>g$s4SF0t{AQ+bINX=G>7gct42reIVU{fo^U3B4D@La$dFjrh7dxGHAU|0U>(%-8|B49n>@MV?|4j`o#gG`z<@wug6o$W~AH6zBRIZZoR(pj#`S(n5=(F*P2w*cHjokW^N3ahX@!lm|olQZ%IRW(;Qr z#3#2w(5DBDU0sicP=UNLD@oAQg2VA*l+TQ(C-!{0QQI4B9(H>FHZIgcN)NN+v0rC+ zQ^IFx$zIC*!CDa{RHxJE(zb>Xe-E`9oE=%>H3?k_0=rRHzr;Ar@X^Zch_Gb(NmRM8 zo{^QjQRuW(_;5fc_+wM6dCYEF8LH!+;*$sqxjOmuYd-9)SxAqgNQ7-jGz^n@SkYNz zg{!fD6=y}S9?)Dr%_v*-l3Y3xUqc~SbKu|T6L%*TEb<)I!x2rEW8Fhxk7kd|S^Am^ zxZGQ=BtSg_1a0I7Xxn$4C}(j1gXsaLk8Q;<VEe!YtP-9b6Es+xI)_?fqKyu`B1F z5{NB#lha2yITS2}%BDOF0z6HJS<23-{u!*F{eJzHc!i6|)-Y04LC1t*$i?Vt9#OZ* zAufq+WoxrpCUW|v2>-P|%fOA#`+|pAo_R1xart4#Psp)K?){lQ!iq!YJlW@om9;f} zm@YlDZ-P5hd`oQif-sE`BkcLvpsS=>P*m9-AMqo1vg-i!)a!w-Ae2 zU|E7ZWB(j&e;p%qFti_k-de(%*W(prz4S+eKH&bUp0o+0oeRRPJBBa`u2<$qqdj4B zqK-tML9Go1qCL>F^el`LkMPS2`FN?$XMc_M%b8WPv`u7H`MmXNIV+OmuRmjK@()Pu z56m1@S7{*eFF1PC{ObP(hyE`h_H?z?{S^Qp;09t4nfFGm7VzrspEneBTp4-k=}y4t zA|2ljxbem!_94IC~YtRfTw3n z%3ai1AX~b3|88>8F;X{<`Hv6b1!wFQ=tVA5NjU1;&RVIC^Ft1NboEj0)>il!!_RAp z7(z68v7Gue@Z$4a01y7|K)Py1j%2f*0jMXBOKK$6xovdQ;GPM)yDwSbTnW5j#B!pX z3fCy~!IZOfRT0J0APi|*%>$eY-6ppv)Z2JEZT3l9bx-LB>xfitAGm9pQTI5WVt`>P zO&azilO;84by_$N&#$21Xy&+S9EJglYOdi*t|1C46sz#tVg$5IgvRs z&$<<=oFNdTO+sBjGos}`SOtCiqf@k>Jj!`{F*OmL8js(|WcLSII`9_{c$n!Xe#H9C z^gyK}D_}lSrw=|J8X1r0bBe;jvum{cYx18IvZr&f&Z33JtnT3(R18oEt%%>< zB+xv(gel#sTCP7fk^1SGQ+`!cpgQUzykh(Z?htv8Ur#vr`KM_HL_6^uu_@Ej?K02k zAZxXkrC`&Hk5cNe!|omjC~Tf<5eZkawt<%nSqoNikH-v}vSOIs6mTBzr;OA2qb4Mj z16{h5teo;zzBlGy>pH6*JpHe^(d^8ewbR0TItQw+SU$nyzXa>(4V-2DnK3=}EEpQt zc6%$y|LVS`jdB-Z9P%CCY^gEL+EqCv($bAA;AVAgW4#mEWz62#*Eq_j9}Ytgq`t)n zibq|w?QbWVi1|+`t3`h7JYe8en~>Z6y*Bk;Mlw~$qdT{kP2$n) zunv{HDg%xk6b<@5wzV$mNn9w;a^759=fRXHtaopBRS*JC9v`kqwXL;f@hRi2Up=}t zU#RBq{Z!GALAv`RRvL{|$}d$8fW1LUQ#i)Aw@MLk3;J~ZKAUqG-{l+zSAmz{rlU>F ztJ~^_M)Sa8OJfpDV}xzbCq`S+<1|Uj!$A4E4b`HBT{mi2m=XzC)Dsg~!5@H_L-{p- zJx&u84Y6_+5|^#|s^(b+8yy74jD)N{U=l@uQExHOVbGb0dCkL>J?*Ui@yF2fJeoOp zIMxYk8B7>x_D&IkLLgS{1TCcZARn(uOj6Xu;ee~*HP_tkC%h)T%BJ3XOs3U@E_|3F zA>;XMMWYAwu?kIJHk+`y-iZ?3LJ+t_$4R>N^^AG!B!5;a`8Cqh4SGH*dc#tYuO?8c zYbs*kYtNd43gvNA(|TlZe*RG}0lALZY~PwCpPb0b&gjF&Z4bL(%_VCEv$jE=>6{Z= z$1C}G=@$I72+n!LQr@zH!Z6{vE}#5?mZDVE#-VUKQapH0e1f#!o14q$QTMm6i~kR6 zpnKAukvv*aEzcf7yLOmsy8C)@cpzR^4>p&ax7+-x8@*!F8&F#+>; z`mWC(HZsYYPVPsbPAX4|hF!yWAj9SWDYDXH?)jGb7OZI`ckfjPE(dggE_;Ena} z-ZzI4^kWG<7y++pp1`ZW6&QnmJUvCak_p?{4w#QA*mI*&nl%rd%lT(~7j|~A9u;FG z;0k;@x@*%}Le(*K54j<`Zj`$>wgmSt2RckFf_L^bL73fj^Bv#=uoK_dO1TfACuSrp z-qD4&cm?u!5CikV$bQ^21E|aGOq(21RxkR^_aJuBFAeAdfwB-d)8spqWDSlOHE}%b zENL;neSeUvvOcp^+J^3jGC97kcDfS!=TRTL4L1w}e-Bm_ zB18JyFM2Ta+KsH4%{;Ngy{twCKP)rKy%iXS3G;Xy#wV>RQtC1}U#E=la_bP!c0Vw_ zu$6rgy7sF_NXk2|2p?joV`Yq8m*p1}e8b%-F@HC7I8Mw4eDJDDY_dDuq-fy2jTLG- zqvT<)(LjKhL}T4UAql;{A}ChWGQWl-9V)^y+$Ng-W^?Y9LSuwhZHA%Vp04wkb<6pPpIVs&(ICuEnC?d)01GeMN}FBKi!W z>~V6bW#}PDUNTT}Ug6xN@J<$B-Eg4|+w^ZemuK!{5@P9DPhNhcD8Fdk8`^Ny z+^P2PJ=)`x=P5Ji1f-aE{w13O4zZ*?DFok0U866733#VfS=3{x5gDW`w`)Atr*^X; z0gCoxj;b=sdrRYs6Oa$r(>{Ep8dsh>s}nQhR`tihVCXol(RtxnSC55@&} zw)qz5Z~;dk->4;&4?QIAnx*h#S4h@&G2C1y&*h z%i^JoV!KYT8GBCbE@X8K2fVor(y2(fO>BX5L9sjF?Gbf4_wnI z_kGW4Jzj3YC@vXz?RDKb^Ed;Usz7`@v-n^;)n2En@R6k*1?PnUYK&%R1aKkhcmOy_ zYj9TeJ~4sAoq^{Lt}bYo_?CHTQgs}PAM9HBiLF452K4&%29CaLa5(*_Cd^=3fHbzA z47hExRFnl9OX!m9@Zl6Hztb_m@_2i<>IQoERlbnBM*^=}t?z7FpMj*&(caKD$qy!p zzy;j=yYP%U%e0S%L52@(EE3&h-i+t5i0qZcNR_OYh?xf7xPznd$F){?nNR%CDm(kj z^6MmDxu%J^6M;_!SeuDcqSj6o6|tEW1!{eI{63nU>sjz}#zv6hJx})2q)yUR#3i3b zWwByfpP}D?0bH(s^Q?8;T%*CQbp>}plGd4zQFN);_5l2xj($I|`4BqhT6+m&*-qd; zy?t4>LZ($1X>JN}DTs1azWbFmbW5Pm)pPui%<_%if5Q zpR570UbPk&;NcW8AwR!f?dqoD=t?Xc{NbgY0b#>}oo8FNl0)(NG}JTLIDCQukp zezvo!19MePX`sf#)$rn`>h1jv%*2c>Mx(#NL6UX1#aigXhqh z*@7nSl&9{`8t$0Qj@wOrV6AEdS?dOr4(2hN_gz{Ef>z}^qQ~UyQUchyi7Xj`!gZ>w z3mSyhCVQWy^DZu3hz+)4@mhZP*Hj;o@mjN!b5->1AiDH{yP4Y=eQ+#d+oKHr5Fv`bLs$bQwl^|yq>7-OzZH2zAZzQ z7(!#_e(u0m4t#hAccRz@oyI#bK>Ihy7e8Q|IX)(WSOekfrjx|?oY(E?&WvXr6JHb+ zFN|tLw{^=qd7zEwGxby9p@*ek97dQwO|}S0QKBYr8h-yl2C1Ww)(QYz8hfFU=n~8t z$2<#v@5H`4F74r$p7D0qJ{0t50%ArE^tkT1D!IjRiJ07Sin?a@d6F+#vv?}9Ru<2* zV}5FgED+jbF39C2DsTv+5ijxr8K)38>cqxfW(l{kweBZe%>bGjmVgEd- zu>9UxXNr?p*MdYQfx}IMsrh3wQywJlcAO5RRcST6hcawTqMwjaRnXqC5x3cy$GY2@ zoQJkW)C6ZYcgf1Ro74mx8{bxFdrbMT_gyK`3oX_jMZE=EB{9HcA`k!RoUuk^-5*JR zM|RkUArU-N@sSnOPp6nwWr1y?I2cFi3>TeJvldVa+ee#Q`09~B&+h`m^FG0%Xs9lu z>}kt}Dw;vha&f|LY%#c?X^b^|$#}e8)G)EQ)2w=fO@sBSq}$9bCO{ZlG-sj2f{)J8 zxgH*EM!8dYkGbf=^KUbJ?&p_7eoCL7Wp-LuL8XhjuUmKlHeOutpr04tu6+YN60_?= zyWwB0!HSncuM*#I@bGQ)=J^ceaGgruw^Ka>@cvJ#wjy5Z53?IEI`%&!ZT}Zz*#s&{noZxS?NHhKgR35y`OI~9+gR79^d8_=<@OiOd7ALzfhYS99h^o-=xD!uAe&C zzw81>1WbbImU*G6jmLY}x>P1Ed4_LA-><`D8uc?lvSRpKrI#sw&jgyB;>=>tCS;gZ z6*|_5Gec)$-`w~<>ryYT!N!1M*Lykpec>P7-(FTb^+=D_ch*Ss+0GCDaHq7c!>p}} zMJZoiVL+w3#9ZfIC6_n(OK-Hz7CoK6@d6Pv*3dO#%fY;Cnf^5SF)zj^Q-qO9jaL3W zO2J`?Qv=^dx^Lrd&r5K55E@C?ILjgNZ(@7etD!(9fO_y~DZBt`=AAYL)XJ=T0#i_V z`cPLlR;PHvsVwmF5Vvmt;2BiLKjF8z-%P@5*gIXi9gF`->UVeR$jH*Y^W-cu^o$8P z`Gym@!y#iNKdcMCNU{vAGBiI3hW$_($UWG0OxBsm|AsBOw%&gXQ8s#<7u1Enug9`I zcZX1Ea4@bEi7lDX?sFaC=GPMDPEmnG>TmM--yu^QC%B7-bNdUMiL!@dmC+Tf7on%H6wxkF`!R3>?XmrlD4&*`K7Hb9i*nrw>A&H zy4Tsdy0G67ltpQ}7y!=|=M6gsnKxLjjHp$$)<&A-pYTmw zYFq<{z6{TtxeCFz%BUbLsPoOS9lnBZ> zc@t(AM6)Z|>lbhe_!WX9{$9aOxF$fK3U4{{^-a4vqy#f7*$=nxpXG==tu%?)tn^!( zW$#yrE5?4VhGe=r_y_;OLAtn!UxGr{U}zt!Gk{UMKm;~mpU!{~fHdf+xqUfvp=$U}h?)E#CN3N4Ysgn;T(7J6e#jE=k zrVK0x))k~Zp;nf`7yZ|sK|=z?g*gJy)++wllePOXB2q&y1BJyrMp?-Vn`_}4D!Fv_H73R(xairxMBH{H^46+7zu)*+#< zSO~jYd7Wk(=DfLMB+&_uyAv&KBhFC9i8jZWVu3L%?4c{N@_)~g)-#l;St@>-4L%+1 z>W`T$%xSJB2Wk-0YVcc#felc`fj7e;i&7hRf%$t-&RWe{KYTLz6Q}` zdc=LmAR=;7^dVps9EwZMMLTLDj@3M|upP$L<1zO3TER!jb7E4|W#YlMDk13hA1uH|4)ZMul7PiiJX5iUu7-^*9yUAd+B9*CxFrPkU5qVkKj z7-U;dGbUL_G8rtyv|c{$$TXjQ?Yvg3;$B0QFrcfjWWPq9VTRA!lCV9zv}3bUT|jinTYwkFVVxVqA^dhI&Ix{~2f~N6nURWyVtvaAV)F z=?Ip-Ev2CM5fLfe!5MwsD)kk$_UTAuXaaXIdAZSuL36RWPuS4-Y06$jI`#^pfGUh~ zJQqF1tz8ug zKqb~bc^~~;GkHc=7qese<+W*A25v=P%gVAS5c}YQ{-x5SdX{kAd7uu*4pj1jdx!(6+*61h`0g2S)q}D{2QhVRM$E@Zd_l~BU5X65rva$Q$ ziuuhPPPS(Y(y4ojjW2-cQ2+pKnswQO(?a|jOyQe1f1iEak=VlGBZA^P_h;)NwbF3H zW5&PW*U@E5550?7a&e(IkzCo#ZWcG+EOM{4eRtAtviS&NkpBdX6%xcT`tbCGSE{3x zX`zBjuM*rmKbOS-N#35+PvfB9>O5B??M6XHI;DL3a-b~) zH-iFE?k|Q}sv6VqJK+gkjlOxxgsbXH`ye*B=#yK()K(ZFwy2-?y5>JQ^KnU-WVrAA90+Htyo z(%30;x)kjZB(xl-Gy5y3;2fYZ97hkCB3?bQ?cMZQ3zE8wT>M#Cmr`nRIboiFs!ZkV zEhvwUGST+1m}H|W>%1n_7;c1e?ZH^?kF0CjIC8U^F=)ikH#TZ|MBmc%t{xxfRQ%*A zZhqoh-nHvF+{H}gf&DgbtZ24agMWE_kuBzyww?~QD*z^R{aej$2wZQ0yArsTmRyFTdJ_u>4L4G)>bktl7G315p z2F{kBjiv7~@%o5><|_(Qo;o;6<&7!paBOKF$@%jw+4>P-YXr3_5wBACOYUvYEKe=_eP6!K*VUjE^cR!xxz*Pz zVbvE_6hiT#&}qaxHZE~YKJDa4cV%s8{CMGf=woD!I)g(DdI^;(Jgq7@;uWrSRMFLq zUzj-fg)!$Pv81f5x^Wzxm|`oE?Nga(7{%HBh0Ei|UoRgFt`Jeh!}ETVmBp(G;xHAD zpU+si5fb&tvd$5@=0yZ}7*Dhh2FUxpjT@I4>h`Y}bp9t)9qj-zd1PWSzts-KN@#rk zh|A3E>A9HZwdK!oszH2n(MnMvPmU7RNjr5ScI3kqG;&1qG*4l$KRAo1)P>)fmhbdY zG<}0ptuyw|+vdQLO^dE2-1sHcKEBAILydhnB2-HA$>1{_B7^^d{V_-0_XJTQF@Wsq zXReFXGh)Zb(}G zm;(d5=r1=_+a#`x<&*TY5vO`O3Xgth*Q*jz6xReA18KkgdfFRIO3o%5v2Y1d!mHJV zOCfw~k4|0}Fgy2c_+y(_nEUdFL~B_KmO>nrvS>*=g$#0!`$~&!muu zxpedHmgMQtj+lUUq(*H15eKk5oIcE>qSd?IdfgF6vwjN=y|911b=1|MogYH>g(*8% z!6sBjDOc3#Ha_QBddT!I9U9YK5<=qtX6KgWp6o;-Q{Tv2^e^m13jd8)rjK@E=Vr-& z22l6m@3qX`N6lrK+D#utf@)JMEjYE!O9rFsTxaU+eC`zwg0&ecs#B*Qdri}> zjJNBs339V01sb5LLC|{Igj)ZM6jd153w*Vt9=!O|f7o1O!Z#(T-3mP`Lj) ztu_{zoW?$*a(g7Vl-}%}%J={^v9zLJ65~!l+=#tu)PZRz=%=*H&wmO4G|xU<&89p z%>%=)a0S6(0*%fn|J|j-b6g0?(d8qrEK95z2e=BRO7K6x729X!NoBj!cSX>oY;;bo z2?t`y=ajRwi|Emu1U2T z{xEpv`)J7>!5OfB$wzxi=V&hS#gx~zYF1rFnV>~BXvz8r^oIsKjp;^d9A^?J6P~6IWLhqJ)IcXuy?e0m2S@O z*ZKu=8k}4v9M)lzjZo2z6a{-uo4@20#_x6OvK^nvVNQx}RvIs~xZu6sN-ZgIf#s-4 zxe1Arp0G`6)?O9?HhaT7Ho*R(v%^B^6_W@;d?{p0B z`pN3QCtE}KV}+t`eVn?kb^U$TZQUyU`1i~{eu4g%OTU1xebuanR_f$%PK8-ywaSR~ znSP^_=t{=irBQzKEn9)WOb5?thPlmlur{or8BJQ0bNsV7s^gVSi=*HA-l)-yI6mQ& z`ukon%q#G_h@^+j^Wvo0>^{DmP_x=ptF*LOFDc-K@xpUCf0Pu<&&i;V6*{$9zI->F zQZMdD^SeDAkeC}1=c3JWEv1BP8R#JQz1q4?GW(uV&i`xvk0zX>b7BKqOg`K-akQVQ zriT_m#ivHLbzKOVeW z{=;7dMsLEs>Qa$rJCn3hkIt>ytaBAz3cF-$n9aVw#*0%c7*@88KB%8p7~wJA#9ccR zTYcl0N9xGG)$LP;sPSj)kJG!{kaY4PppYjp(bZ$JkS`7C8Owh0j!O-mw@V%+TH1vL z%Eo2P1{H}Ll(Y?jqA&52+X{xRxvu5l52adv154br6eEilW|ZnPa2hiWUhYo@qTj>? zEY^Y2UPFV>c|*hVw!NN$em2qEhvX!sV^BECsI7ZDEYfmATaJ)By505>XTeEH82ah| zRq7@{u?N6GC^g0Axeo44Dhv4ayuLOa|A(S7XH@U=<`_l^z_2Ts{`Fxe5jXmen1jt1OMRl76>K5xR zXoS86L&oK~|D~>`R03eTt{pOFgQ@WGRgLqv(YfHJ*{&0)^z+Z^Cp#dpfIpJR!@6q5 zpw`~8@m5W!kgjgj+a?8Laz>L);dad~sLiu{IeYy9&x<>==(2A4{Cz6&^sPMowWwWD zA@m3!fR*ly1Ke8tw_g%qcSVCK%HrQzPk?e+hAz%k@t9YXwyw^PB#tPH*;BHE^Ga;F zGmT22$9)6d(HR*D+yn-WusPSk54->T$Nd*$ls|sY|K&Xx{|{8y|LXdVf9byf4mus` z!iov~0uyz;zhoH`0VP{o?pYx=_5Y{5_l#=l@47`%|A->R28aqM2uPRSyYyZHQUWMV zxXS^Q{ACqjd z_bH{oVJE0sR*gYhaM#Z;0wD?tIM}W~KOHLwIQOLJc}TJe z7neHxwIlQ1Ls;2ue$dpye7y%F7LgT0Qz+?nKg}#xIX5t(tZJvl0WD+4LJAMB7Rz?u z#j`K70_#J5WvsvjSv8Z8<;wGOsNR#kC=OviQZJ78O|y2@4CAL-;otYIAB?8EJ>x$X zQ@8PoR>X+JT5%Tmdg@%}u@%~hQB9xrpt9aq3B<=1AG0}l6RQfc*C7fZzTD=4c$T*{ zt^M9D{Mfp>N2OLCo)>7I)ARKH&Y)Zs*FUzX@)fUFuTR@N#dZWYHyqdH^b zW}J7$!3hXW{-G-mfPr8DzUdDWP+OZR<*#ief-DxtSH0&McL`g@llRcoN#jpUd*zf) z7&??6Zj4c&=p$8V^5|C79d*zvUif}z7^OL5dfIv3@|f_P$8-cxo7qn#uv;?nCtm1F z%fBD0Jc2$PAzgB#erkTvVkZnybF-%LS^Y&=`O{own>}%KwRNdA?>8X zam!^zC85*s#aoWI!UV>HiGtmB)f6*Xn_|+>uY1~B5kz$ONM0>23(%0hhm%98tsvO< zw;K-oi|v#UFerM9WM-K{T1?=V>4(0)b4SpPmFjC2XV3VOHPg1*X0gDBz=Q2(d)5iJ zB=7nR7E?Y$lu1JWTaJSL$(Q}c$?{y%;4275aCyIwdZ41ahJ3D}L<(qI_RaY)liI=h ze68@q_%5}3Uwd6Dn1b!IH=^%aepo&TvD(@q=5JhuF`QU$ zZk5DRSDkJ@KTCiIMvIXx-ZlNQx#?oCbv#~1nRmCk?_vULyL#;oEG_6{m5CPI!_d4` z6<1ytb^u)r_n1JrtNS?wv(`4p) zwXJLau&x#qI$60v(N8NK{{jDk1j9#a#zYCat>4}-G#*Zr7u@!Hk0<9F5lBPz&4>c# zuekhw2vY;!X|!cqL@^Om&iQ5-P_K{ZDEPq<)+9r3+lrNPfcwI5A$m=oWes>5b8UfJ z!1A%g%Mx%kw0>`;9rkO`y|HS;+&bI?5x-{Hs%jSbNf8IMiNrcGObQmkS*DyuqZ3@Y3a zSgML*t$heuT~?|INIxJ9Uq|a%-(~u)#(ijAS@m?{5wtqMBet`e49ysA@u7I{Zr*14 z5JsWnZ`$?S@###D{x019%{yf$KE77%whvuxRs^QoOX_0#nF72 zP>_-;i$v=CC{!MwDzd7X(!;+^@>hLURL6mM>+qt>*k*IhuE#~8N_(-3aTRi>u%0GE zjwL4DK8-*x97N`~Z!TT&_LGy@iq6(2NC681)i`v~J&h<`V#5G&NUfAN9v;^p{FSkf zdvX06ce!!k9{0%kkYSf~-lj{;+3P1H*O>LDFTlMkgnJpS#>6sf4j z1hTYI#AahF0%t$WU47Z&xJ3<>=N5=;U7@wOf0AW7jkxfth|mamHky8@Ib`sRVJrfI zKwb@?r<9LuHhS@l5}sj!QdrSH4&%s3bGs$tSLO=p|w0HY(~*klREeo-}!_MxWDStuU-^>G z0wGN8rSp;>3a`gfy-vChTrd0|8!p%X^DbTgeRN{Yc){J&RMzjM`9yZ#Wv%p#gm)(H z!4J~LE0D2KhL%9pvNF1S%ajK=;`?srtct;{!=L(18H*OFCzWoARdG6($ysVG?-Yz# zLg0S=9v%t$ica~T@`^ezKEQBTqXGbiFT7Z@D$ceNo;>mZ-r}C>`E`Z9TF+Fh5`FZ0 zOG8+4%PK&Qn0=s?KA5woQ z2OZvu{umN@Ea$Eb&3Fq*ZbD2#;o^e`fTav@Ula74OrK&5h)1u;DX~cz4bypjq0!_6 zCeM7?B)j9mhxa=qEugaX9s_>R$XNx14IEQ9=a+t0JDaP%VBr90joAR=i-9+zF2&>7a{E7 zF>NgCEIh{yrZPaykha?}ossNbtV5L|VBx?{vD{1C*39JJwSHLhI@X~Wmks5ufTF!= zF@p%}Mz0O8%-`kK+nCT@Iy8&04kUc%#+yb$Xi2h2G)zDI1?5s6;6AK!b7 z^}khJpVv3n5I6*g#xb19WZB`CRcdtDb$ z&dQE;0CyN+!ip9jFOU3WrwlAL+H@$o;EF-JviNF*&W4C?x%4Ao6lcXmIChn`8;*$U z!L1rw8#?*^HdqOoV99x+*v0ZMol1@Az7`V)$y*NPc*TfkbRrm`t%BhFUm4CK<+h8r zhSZ-KaxU}d_~=186!vxVrPsnVS}$f`4DGR7t8pcKw%$J+r=t{5qx-m)a2e7MH>f$NX>crLn2*0F)}&j;D2aFP*o1Rd28_tVuQ|IFPbr}W|FDWxe~o7;kohVFFgicY zNUTj{^R%3lrVfJf$^IpV8LDOI62MyRMR3HuOLv~4I(C!VNHdYv*-9lFJJ>a%4uNCGlOD216R-MY;d zrAzKrg?E3z-YPAZQFj}ly_tORmd|VUuU2Ne?z%>@H&5853O&Rcka+*J$HrLuk1u2D zBq|d@e|F(%h60w{vnfr&rAliNcAgekE8|vV{p205`Bc+yna7=**46Fd&d2S}$DRxF z9EU+e> zravpv(p%!^2jbOh1Kxg z2^x2kDvo`9V)YJip353$3M+;*=pa}vTeNLV7-Z?eJDIL)gw<^{wkS zV{YG~dL9Ts9MwGo18ozuc)2AFlhZ16UmmNIYAW8P zfhz@G)~$96v&8gm1t;A%$;XYMZtBRoBSUMKX6+E{rS)&NU1d3>9dcO0*>z|{K9%&^8lxn8 z(1O;H9jnhPM~*$0oFb*Hp-K>JUXx+Ca@B?VTDzSraQqvz z*cGYR^3A2|l%xPju(nJ)V(84SOJ{t7D6yeu1{gID{S_peEj5ZjM4=2nu&DT2*=P4k z)+`|rA$%RqdCiX3OZkGbi7B@ov}Hx|-EUPgoi37W6}nk`r_aDvdy7U=2d>2RxElme zIbFI>Uxe@~F2Qg1OmV(38&x$dgs`;shY$>eW)cQTE=xFnn)+MWc^ile!Sj4pcFcfv z4-no_h^(px;V}aNE_(Yx;so7*Ez=YTxkPpB?Lu7Vq%q>YE9I!5yNKdK1Cd6HU=DHD7;?@0QN(o45%_6=^d+ z!jXXwQOPu;e2k0FCf>BlX`ucRYN(mSeJ}Ydr=DdA`lakRQ=@r`=@V+p z+Tq6`-P3=k6vXB~VKUhjcmr^)P5=L5Q~UpJF8vn>TfqE(N;KL&nZS(M_c8_qXn>P# zk%vcxOmDkO+P^0q?T9Gxy(dt(snx#*+$*ZwZZM8@!^L#eI6p1r_iWH&?@hkH?vw#6 zt%(fo6Wq?~pwWSq^VZ3{gKTeDxAIhM(%_ zq4j;92FP$Z?yVX{dyk z1@wWUk6o=cA;$s0HseS>m!{4_j3Kjf&nZ4DH<{2|wMnNTvQ zs0BzU9OtjXOP0`-@vX+Rgj|N)`pWT2!R1rcCn1U)G2vC4JE!3H8Sb7rmm}8nksXjM ziT({Z-Ab0Ky_S@n%CfRN%D&>II>JM&@U>=R4Tnd;)1aCF79>Rw-O`u+OVOTSJHhD{ zf=+ky+aqw&&;BMItv6ghv!Xpe_umMUDa{^G4Bbfp!otr}nl`}7Q-O}Eqw=|(yFOkt zEswtNwr+-*H*O%!$nxXh)6l6Z{@E`Y7GDVSGB)iW?i7{qv%L-`ltQx1hlkTMZeM>$ z?JY1a>T|h1JChi(WM1umH2uk7xuL3{Xoow>0v9a=vF*IzE zsl`-o2%Wv5ypcSN$MUx?OPxI^J=tv&JU^lkwih?2%_%DRp>6Emc?-dbm7&8Gb< zRhMj4wAnDO2S}(f7AOnT34b9;?3i88;sudc=~(bBmTZf}z!25veW3>T*=z=a(imo6 z=_JdRc=z>l*sn4dJ)2r_sHq!^WB`B#DgtPJP+;+1##s%y!o;K0gk2$9BPKnBIcR#9>fX+nM9 z#n3~-JnfBmZ31R3HP)L?FJXF2toL+Pd@G1mFpHkxuUyT1u8E05@=UL_0Gs%8sXG;_ zv6qfs4J@SHvuvr|Ieq-zm;ZCS;7)u&S*Mz2Le0DL;_xIhFwdzLIN*LsNh1?+?Y`XH z>4sQE@c;l-oA)JTX%=8T4cRxZ1x4#ujd4QJs|oplML+=%jN9|hbSfuC1H~8bXehv zT}XQLKZIQ^ltPUs<$>SFyA*j#?_YT{duRpn$>+nRH2KN0Wh1w`;932f1_(npcGdwO zAff)b!Hd%OiFDcO-DgB%vnGdp*kwzty&iXy9F>5*Y{^I~J(x0(rj#w0j`4Xr+q!Nc zX}N(n(t0Tz>u};NH?-YqGUJ#{iVBA-P}ctJ(|M%|breEYjvg)E(s4Wp`r)^|n_qlr zvmm||Oy|UxZH!!)J`F)oHQv*v#WvRf35ZiykT_Q=!0CjgW48-kzL_dC^$!?n>-0VF zZ7rRq9mU3#R0L%XWVz(2>s;4qkY1{@N4?k89cVsHT}G{Sh!!cmji2K;*9r4c6K`cr zC)*zKAm@n_Fo55qBc-2avh|R8F^HWnO#qR7u@1Lda0 z`m%!$+AHQ=+`s7N$CljFLui|oy#&IB0==~|RRdjjNK7!iYMpZC#aRE$Qp@%1SHYrgVvLmD$KeVqJ9xB9G)<-v5H1ykB}mP$pIk83Uy5(edZ^wlmj zFTgy23wh>YW+6y~XSgf9-{)RXUno0BB{)NF;_UCU0Bh{Dc-{fQ7x3_1T90dDxB$_6 ze)0UF28t$Le zl98kx{odgc{w{9QYv#utcSOb6p3 zj~~|&vPt`ePN|GTRMjj;%4gG#Spej9qg4T?(Z-jP2A+p>@I@!`lkt#?@PBP@izz8Z z+IvkBfR9L&SPkT=giu0~ieOyxq^hp3Pcy&E`u~8v$|7e=z(L|8rGXf?S1f71n92_ez(sl@Iejx2^2b?ecwe&iN&y!0it(}8ly1vPzvPj)MX)O%(s!6#j z{^syMu&KKd+euH!{AeN>a1yi3+Q7wJd#KBjy)k|2lVC;NU}8G16KN@SA$;%QF}X!5 z*Xvl`*52foL2jLSpo-D>AUdBuwP+%&ht5E^@#~dX`BRS|6;B{@(xm1cVz!c-g2dim z@IDn5-{a#Zvvse4pM`#dunt3g^`UR|p)a-xg~$NTfUPmPLYF5U;jbV_FnZunAAEIt zvrn(2!S{{67(u=rvOoQBHv^RJr3Ni+4~PmQI<7e%*ei>;w5vj|J=21VGhJU4$IiRe?tBVU){2wF>xP_*2iEiSi;8k}Eejibw8_7kX8FH%{r zb-RSPnR{RF)}SPLqsP$9*kyJHHA5(eCKeHgozsu zdjX4hH%8nfr3ovG@9YT6zW60Cu&27iL)1|^h0Zx!U@q{c8U+ifb!WwaAFTvUw50xi zRCYT9jXehOlW@~746vs?T8I$ZZ>w48-|*5^WJWreoC34ag$Y>2_wJ+Lp8$L=@d zKq1+JHQ_HO>6gVJ9se|@#mJr<&q9zdNArH%-0B~?g$t~u76Xe5DWQ`kT-%4z=qA;k zg|9j%V?qPvwqVJ2h%a+LhJQDvRU59gTetkU-I5r7Bwd>1x>yKuE??O>3TWR-Im#M> z^=vm-M{pdhxpp4=*<%X*nT`&pu|@mXXTmSk%aB@6fs@J4#eb^Sz~$TWAcyQnIv_~C zoo^@gHyUTnil{)U)hnOeh3ag5+fVkwn{MGe>mGUVTvt@|`+L@v?m6!6hXweBSsAO{%vPUuVXwkukgBhvGHK`vWUmw37{&F;V zUg29$;4%$yXQ(pVi&8ZGwP$Bh4uc$ZytHAnJc2c<3tw{{!4)5|_U+2Ww)c93mqS=wfsc&@c}8d5MF;0ZI}(7U~L^2%P5AD zrii0GzsuEo2K>EPwiT~F$&bE0eX4~I?r{$$Td#i-=Azt2j`kSl7uz~t(WyRG!ufUV zk4~m^c=3!hvnFpcgnM)L=r4B-`CEq|uOjV6iFElC&-I-S2@R~Ix?MA!+t4oCqo67H zk<%jd|${1 zD40HMP2$9guKrNG%18(77F=@DF+0m|&n;SPtGj0YZ23 zWv$td`|W&|6K@dF4XNo~7r_EkLmB_L8F%B}Srr~RXZS`6IT;yA4N0|d?bSUgBk^bl zmtdgp5(_T|yc)$`D|eE?X`*JXnVO0X$d^@15(gtA#O*B~heSN9MNgWTE|xzJUpB6) z4;J^v=hIxQW3wp>19))^>7B=3aE!EHzI=YCi-&VvcEG#@J2AL?o4Lyuu~RftR}G-mEW+=lb~5XZ=oJ zUz6lp6dwn*7;b1R;(gu>26+luTCHr>!O}V@bxItDI>;=?QlrR-#(qfclsS?I@=a{! z4MGWhz&hZU`l@EqsvC1A#&psbEKqL}u1`VBn=kDw!n#mPME6I-`^(ReFebRSoW@G&($1ORwvlF%Q%JhjA+FvGWqGMbC)+=xhdh z{@%UH&V`hVYyhr1C9eqts^nnFtPr?+EOCTytJpjuC55q`UN8vlFK$W z_q=x12jn|)_gEfo)Y*vj1Ft=I(MYC<{R5VIdw9RiAXso)zHn#rn6$PXLKo7=esxR+ zu(9xZ=E^_AFB7+c$Ba6=xgcv^xW)Ci`vIl3tjB z9m$`eR7YCs9Qeazw?`SWwNfI4aUwcxXS}hwqb^CRL<Q>{YBbFySlqSa? zsY1!&YZG$dzO5Dc0v8EJgx`&D@h1~up_7>0S7Fuxl&uEoegY7ttU}X=e!%wGaYuH9hE`xEDF7!nt&CHs!2C8PpV>lk+M1GDoHEq(T zxg*Cr%XYH8_mn5NUu`ZNI;ND%xwln_LF6#49`e#2*2L7c=%+NQ(1h?4R7GgeJ<%u^ z_f?*@Gv=*pf?IRX&(eb?weOt-6a87`^1w@^`yNxyopl6<@M-14jB2Hj|H>wJ$ySjt)Jn`2U!T;#f> ziYJ(uW{w2wqww=BHPj-sH|)8qNfMQJ9e>Tvelw0B1xD=bAoW2%YrGwiyQBb(t&B=B z>@4qnLF?9otsJho5s8H(K^6#keWO{Hvn*75`;jci5Zh{ar@Azs+&s#}*|K*JyyWMJ z-Lso+A#Ob9$7{TSNayH+ga*ft^e2MXf|tjA65Qap^hm8uSd82pe=pSh^865Ml|Zje zdz_mgyuL+((iL#DH@=!^p7XA3ZLqPAPp3|7+66siZF@p*_yXHXzq zYo%cLsPnbL{d_ZEL4<)_PrUg7^L~qPUZ<;ymb<~`iy1pU_Al~13W~Q!87DG*3qGv~ z--elf2|XMcf>5g+buA)NpAVJWYyt41N(L8I?sHdw!VEFqQVMBjAf*Ec!xJDJXXD(? zJGLF9sALC$737+2fUaV%>Hi}Ru>LfySTDQK5_1Gk^PWuCpC0sd_uKHd;m({9b&*Rt8vc-O^{_iG@+Ry?#L z-pcQ-ZAct^^3%%J1OJ}u$dhlPE{2S$8#jZtU63n`jto^{+xb7G=fceFB98)sDI~;V zagvglo?MSdWqyCsn*CMQ?WE1zNTK9wp*w!|=R!YU(aMyR>m9PLJiyKM&pEw5tUod1 zyLLW%Uv#@6DO~?l%@E5G(FVtZ6#4YZjy2C$Z|uI6|6Ogdh1EZKn;5W6!lWa&ma;1W z`fE2+enIzOPovQ6L*h^4h@1SHy)$y+SFFl{r{f0V7R2WQO$v8lqcPd1@WIGU64Th2 zWp71r3+reh&OD$Tn?Y=7)%Cl!248`Wh?*O z+lfpL7m@7OqqHMOH}3H%>EOn9`>+Wjec3KmxDPLL#6B?Ue#ACA8uF*BlFLG-yk&o; znK`L&K$F{d{EFAZnyf-9ziS@kbLO8wB7I)0!&pw*436gf7v6kY5YJ!tC=;8e{1o3T z!n|-H8Ht3}8ijBmC+OQLRfjwEB6|5o`FtZ9@L;!y`sd9Dl-=2D0VQFZ;$QrJCX-)2 zSyn{pmq0gW$?xh4Faq-VN5zLEFQ3&4qj0;SKWQzh454|EYI$>tDu$FzH@_VCq*SQW z+OqnM{`Vi@aC_!qS4_2M{?qwH}#*TTye&GE+UgYilu87H)W4FJncNHVM zlFgd?rhum#b?ODbArR-Z)9ZgIHpIZK$#--@9$8D4n*qm5uf_da@1>W1 z+#h(4+YU6DjaXHCk@T&Mlbah9La}hi6}ZH3eMxxJ+j+rVPAx3@Cfmaq!Of1k(VuF@ zsg?k3sB`nz@?wfn$2~@cU(eeQR;xFE#ByY{P(iq3!`Gh?BlVSKJ8_go%pX&$5Hi;9 zOB44$l3;CKMYCdoZ0E*yYmlZ^; z*#x#8PZ=c|_(->Wv%fkNE3G_@nr$ezm@LVtcDU2rDW41egtF$#U7}&U2v_ool8`Df zmt%8#dKn&|9%Mz3i;UE=mDrO!mxmiq8T{Ob2N zwY21whm!9VoI$-$QaV)GU7zBL3||xq_VNdmrH3A)Vb5`%mZNV(Xn{&$Zi%Ncj6{D4 zL>-m~vcGb#@>UjCW``C&(ckm~+-KTqbW)B*%|kSiLKlfd<`)(!F~UO+_!{R^ z9wuLxmTCc*yW3(~vGPc6L!HbI+W4*!W~iMWpUyaa>Oz}7R$)jEh5+$w6#7@3%aSeh zcWOKYZ z9b`F>bzZnSZOc4M}h!Uh|?#f+Z=m11f0H)=(lz8%|B&{{mg2@lzcgrj0 zG9SFKr)e;0CIPWgks)jdtp5<$aF{Tffl>fB3){?TBsM-2~)s$EM)(T}ZD_5G4y z)obvw#MI)@JO=(KZ!fZ}gn2)*Iq$Mj4Bw284`4hbu;oKVBOT>vG9vPt>e8--&l*3ca(&j zfeWn=ovc+{R;z2>wo8NKB4M*P*iJ8QEsami5|pP{#fj9V=AI;~bQxpIEABiFuVX$p z*NR>wvsw0DM`v3;tGVm9JGCm4Oe|xY-g%hmO}Y}Q%r7&-moqYWQd^D<6)&7ya~7psVq+C2EFj)< zi_3AyLzV<9N9OUw;u6A#@Y5O#9p@n*R)GoN07k#+T%&Z~@)=e;_c=Zyxo4L&O%N_# zk$dt>*A)!MnZt*q>_IZs1B5`ug`gG1B){_TKsWh`l-42iVjFnoDzO#5 z4teIH3FbG>Uf=L}Nr`&d{^I4Wc&D{j%pG>yzYp)|QfCH_uC($T>}Ok6i=|_@YkEx2 z^x*2QRmRN}4wY+zs+#0Mh798$K(N5qU?R>twr)F5k;nFhPxW1OYXk?u@5fwiQtN8- zuc#T(X-v}z6FhkN5H-&+@Y~}F}Qy%$HRGQYK`FS z0!MwGvbN=tyDV_$PXA{wl9)3oFI#O7|IOphr6UW$y~3wd4aMiO**71Bcz#}hx;KK# zwm^;k{yCoDT2Er^az`A7mc3E)Qmqw2Xq4$$M%8y|W)}EF^h)g>SxPTMn9m2p*}vDTI;Tju8BBeaK!Y!-XspdWMWQ*Z3Zvx~Ss zkHQ=N7NO?qFzqkWuEwS3ZXOk&BN0m9s_-B8iR6Ie;j&m`&`ohApER$|Qu<|~n#ExL zm(v7&wn=(#PF&|#>wkjXQI!U&-IadGx$zMW+VH!oLmqb`_r&L(pE>6=T%bByZbXCO zVO2q&wh$<_S3WU_UZH(*c`OJt*NIt)xUZ1>fju z#ptF^yF0bKToHD4kq{NGJj*T6YfQAso1eOoWN70xOLGFWO)M<6c`F9iGPM`d8$Y}X za}i0H*eM)+bj`B{-Ki5~bA4!awB+2ovYyFo+8+$a8j6Dg+XwVvH zt8!nhd$jA%HM_ax98V}6D388~QSzv!3C;ry?H_0Q>p(vyz)g*K zLh+%iH^Zx0+$FyrM*Nw+d4Zjv*8Kz4WID#<<<+=!5O%8s9Z&piyF8m-EszCGc!c}1 za{JkUvh(E&!{Q>%l0ZC#_U`{`0f6=O4+9epmu(ltmzjR|000}@G_0!6|D^b zXl(!U^X*TWL<&!HN9Z2vXvZWIXk&{LQm+z^nZ^M2+1_bZKeibwfu^^^9als{wx1$k zJV&3Zet$~xIlJ=v=k+m2(1*fk9)w15^y#&)e5b((m#f$4RV+N3r-c#W8lo+#2O$s)TR-SljP5?Tvr4nd?)CzSH@}h6eo6c9?px%wpy}-@+}>XAE(^3Tbky>E*nyKQ`GPp6qm2@2pD0gC z-Sia~SUpmlUi?C!XdKX`8RduNJWMS(v0b4pKJIvBF@2JyaB?WnXrGvN%}CzBaK&Q@ zT4tz?53N@ei6lfu<@j#$4&?0a=C$u01}5KyZxst1$h~(Pmz~*)QrPKk5IY!~ABa!f zBM&L-q~`GFvxSw&AD18TGKGcZDj$6#By(w@J~i~Pd!$qSx-!;$i*3xjV%YiZy)rM| z6aLPB_d6-cEI7a7M@#R{j@cLR+k0mpIGbdO!rW~Fmnj&3um6dVsxYDC2jk_%*0J&n zm}(B#QEUe<%^w0y!KD>$V9=9Q^JQ%9!nf3k_~qBe)dnNZ2cd3g!GqNh)-4tIdfS0Z z^2To)vlXkLQh#~9bp3az06y_WJ)ObEmjhX{1Ns7Te{NXarFR+4X1`m!ZEV3s&wnAy zn$-3dq9RdMq)BZMfW)Q_k$p_2_m;6~ zL#UCn1?mCbv3Or`r}W~pmzAFx=d9kW6fjtNDr=$|O9>kUimfK}(ywWwS~HzBb7|AO zhp_>d;<@MzO)b^}#@|<%Q;RaW@BiVSdhgzP9s7?}$x^708j9L2u~)5W1Eiy4&>F?Z zL{<6_2un3=GN}Fp_9|LNYE-dbaYJqKBUh@WvGd0%Fw1IUebA@DwL#l@&~g@RjX-K& zBzm=bJ06F1%rb~8_XMKGop(v2_Zam+?-OQm<9;})jwqLnNhQ0-yX0vRpN^fz_JdJ& zaT*oN;(Y(LBtMnOmCrS9I^u*B zmhH51`x_6MZJEE;%4K!fvN?u;4v@JizSjmGo!=QJ`ztL*d=Qi1>wBV=b7v*%&LZ0s z8^a3otKL$C!hNRYV1fd94;@*l;8G{2OlzD)Zns$ob(sq0zwtXdPiq`A z3FkoD`o;9-O5429Nhb{5+3YQS;XUortZ0z5JVi@C-ccc|P(}N)&7HCX&->;bX z?9WClW0em-`TBkTbZ(Z83Y_R|GJa-oEfQ#AztN^v_74tE)UobEF;x4;~6TZ@CW+2;R)-y%$MH280#!%x;^ZWoMpp zF+Hpac{G%*paHt8;F=%MDM9+`T?V0oco{bgW1V^!T3|(I)4q2dn|1eQ_Vy^R1tL!q z_IKLU%W^HXi|Zao&v_O8xQ+NEx#Q1mQ8Dlx{Y+eDH>hOX$^1^CQQ5;2RTH#L`vEzU zS#HXrKu%7rM5ktXUwrUw-qE9hvU6EX8mfCu^q2gb$DWqH?bxY#QRkvU30mN(9#==i zJ6%$Fl_N;}`ekis$qNdbxpMp`Hl`Kp*!wQJ>icczjISTi9TZugNIe`te`8p$_1H}U zH%djYWx3$~5KuhbY4S`I1f4O|$+NiG;q9Bdb9?C2jSw(Ll9|5UV#2u+G4WnlOK%X! zxF!aFa8s$o%7BFJue$BGaTEMf;S5jfQb?&sUJ-m5h{i&xYHgL4d7mG@`0e+a{^GB4 zYl5;z+xQMvDpZb9*w1TXhnaSpJ^rZ*dgmbiV9tsW+?TYBxHLoTcDCddcLJK3$BF2K z*H{lp-dquvOa~Z3@Wp|PsQglZCGVT$fjJW7yJRuQ?3y=sq)+cGskR~h-GM&236$_N zkz+O&~1Wle}Gb+0|F`u1x+`(V65K5+eVkM9DI|E5T{o+K&E z{3^={9J#PxVx<+jwy(9A+>OcRo8v9{Gvn{HBFb6siL$p-`pwDeo050Z=!uGqZeOV5 z@*CBT?Bs2)-&Sg_!On)+u^%1Th*kU%a+AO&@hRC4$qt_I8HNv7IvL+1m>?5LY{e$C z5Z?3H`yTc`4oitZYp)qYt%#{sU;OTb@&4*-)#KY!2P>a`^6r&%MT6iGVvq9p3^qFU z@=kH~%@Hk*%1WqHPgz3ak(bZZNIpBCD}!u*_WSlG$5hV{*VplU>?^p7Ued;(I%ppi z6p0|K$nNK|3~m-LE?nVq>K!3hvA*16k~zSOJ^6fjq;iVzC(|>SkguqJe*N3sP1eYK zbjj}qHb3)j#}#Lru@l8}u?bAlmwYzfxk`21pS_!8*@f;+C)gc;(KnsL51y;adCD2c zC-&Rgv1VxO%6fhm-q8^WoOCmQ6T>&w_qdVI7B26VePVTO7eN@+r<$c7=VY9rVvY!F z5*Wn|0Npf%B2=!)+@oc156J|g1moEVikEcnZ~o7(i-E4?y)+zQ-#aBQ{VuWpUWkre zt#b`O*cSCa^Ywx|>g*9$COOIF;FNSDu+=F_uR=LBUAi-iax}(E=2g1UAL$#ckevSc zOS(2<#{6Y2Q3?Ksp#EAW`3lxO@brs#p zvhyJaVN8TtG8KBHhg9~-am5zqt!#XvGsQ(4W C+_ [!IMPORTANT] -> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below. Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. @@ -72,9 +72,6 @@ Your Azure subscription ID is first used to provision MCC services and enable ac The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. -> [!IMPORTANT] -> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). - ### Hardware to host the MCC This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. @@ -115,16 +112,13 @@ To deploy MCC: 6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) 7. [Review common issues if needed](#common-issues) -For questions regarding these instructions, contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com). ## Provide Microsoft with your Azure subscription ID As part of the MCC preview onboarding process, an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] -> If you haven't already, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). You can't continue if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id). +> For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure @@ -508,9 +502,9 @@ To configure the device to work with your DNS, use the following steps: sudo restart IoTEdge ``` -### Diagnostics script + ## Updating your MCC @@ -557,6 +551,22 @@ If you have an MCC that's already active and running, follow the steps below to 1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). +## Migrating your MCC to Public Preview + +Please note, if you reboot your server, the version that you are currently on will no longer function, after which you will be required to migrate to the new version. + +We recommend migrating now to the new version to access these benefits and ensure no downtime. + +To migrate, use the following steps: + +1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page +1. Follow the instructions under the "Connected Cache Migrate Scripts" section +1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes + +Here is a screenshot from the Azure portal to help: + +:::image type="content" source="images/mcc-isp-migration.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the private preview to the public preview."::: + ## Uninstalling MCC In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls MCC and all the related components. Before you run this script, contact the MCC team. Only run it if you're facing issues with MCC installation. From a5f4af21a1b85a75f0fce74ff728576ae37f4a92 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 8 Mar 2023 13:45:16 -0500 Subject: [PATCH 006/101] RDP article refresh draft --- .../connect-to-remote-aadj-pc.md | 136 +++++++++++------- windows/client-management/quick-assist.md | 26 ++-- windows/client-management/toc.yml | 4 +- 3 files changed, 101 insertions(+), 65 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 88a544e7d9..6cd754549d 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -1,94 +1,124 @@ --- -title: Connect to remote Azure Active Directory-joined PC (Windows) -description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC. +title: Connect to remote Azure Active Directory joined device (Windows) +description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. ms.prod: windows-client author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa ms.date: 01/18/2022 -ms.reviewer: manager: aaroncz ms.topic: article +appliesto: + - ✅ Windows 10 + - ✅ Windows 11 ms.collection: - highpri - tier2 ms.technology: itpro-manage --- -# Connect to remote Azure Active Directory-joined PC +# Connect to remote Azure Active Directory joined device +From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607, added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. -**Applies to** +- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). +- Starting in Windows 10/11, with 2022-09 preview update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). -- Windows 10 -- Windows 11 +## Prerequisites +- Both devices (local and remote) must be running a supported version of Windows. +- Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**. + - It is recommended to select **Require devices to use Network Level Authentication to connect** option. +- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device. +- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device. -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). +## Connect with Azure AD Authentication -![Remote Desktop Connection client.](images/rdp.png) +Azure AD Authentication can be used on the following operating systems: -## Set up +- Windows 11 with [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed. +- Windows 10, versions 20H2 or later with [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed. +- Windows Server 2022 with [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed. -- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. -- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. +There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: -Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. +- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. +- Active Directory joined device. +- Workgroup device. -- On the PC you want to connect to: +To connect to the remote computer: - 1. Open system properties for the remote PC. +- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. +- Specify the name of the remote computer. +- Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). +- When prompted for credentials, specify your user name in `user@domain.com` format. +- You will be prompted to allow the Remote Desktop connection when launching a connection to a new host. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. - 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. +> [!IMPORTANT] +> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), then your device must satisfy the conditional access requirements to allow connection to the remote computer. - ![Allow remote connections to this computer.](images/allow-rdp.png) +### Disconnection when the session is locked - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: +The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. - - Adding users manually +Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies. - You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: - ```powershell - net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" - ``` - where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. +## Connect without Azure AD Authentication - In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example: - - for cloud only user: "There is no such global user or group : *name*" - - for synced user: "There is no such global user or group : *name*"
- - > [!NOTE] - > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. - > - > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - - - Adding users using policy - - Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). - - > [!TIP] - > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. - - > [!NOTE] - > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials). - -## Supported configurations - -The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC: - -| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device | -| - | - | - | - | -| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above | -| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust | +By default, RDP won't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from: +- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later. +- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later. > [!NOTE] -> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). +> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. + +To connect to the remote computer: + +- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. +- Specify the name of the remote computer. +- When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format. + +> [!TIP] +> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**. + +> [!NOTE] +> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. + +### Supported configurations + +The table below lists the supported configurations for remotely connecting to an Azure AD joined device: + +| **Criteria** | **Client operating system** | **Supported credentials** | +|--------------------------------------------|-----------------------------------|--------------------------------------------------------------------| +| RDP from **Azure AD registered device** | Windows 10, version 2004 or later | Password, smart card | +| RDP from **Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust | +| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust | + +> [!NOTE] +> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). > [!NOTE] > When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection. +## Add users to Remote Desktop Users group + +Remote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies: + +- **Adding users manually**: + + You can specify individual Azure AD accounts for remote connections by running the following command, where `` is the UPN of the user, for example `user@domain.com`: + + ```cmd + net localgroup "Remote Desktop Users" /add "AzureAD\" + ``` + + In order to execute this command, you must be a member of the local Administrators group. Otherwise, you'll get an error similar to "There is no such global user or group: ``". + +- **Adding users using policy**: + + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + ## Related topics [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index c4f89271af..51ef10e461 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -9,6 +9,9 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal +appliesto: + - ✅ Windows 10 + - ✅ Windows 11 ms.collection: - highpri - tier1 @@ -23,8 +26,8 @@ Quick Assist is a Microsoft Store application that enables a person to share the All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. -> [!NOTE] -> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. +> [!IMPORTANT] +> Quick Assist is not available in Azure Government. ### Authentication @@ -45,7 +48,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis | `*.registrar.skype.com` | Required for Azure Communication Service. | | `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | | `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. | -| `aadcdn.msauth.net` | Required for logging in to the application (AAD). | +| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). | | `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. | | `login.microsoftonline.com` | Required for Microsoft login service. | | `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. | @@ -104,29 +107,32 @@ Either the support staff or a user can start a Quick Assist session. 1. The sharer receives a dialog asking for permission to allow screen sharing. The sharer gives permission by selecting the **Allow** button and the screen sharing session is established. 1. After the screen sharing session is established, the helper can optionally request control of the sharer's screen by selecting **Request control**. The sharer then receives a dialog asking them if they want to **Allow** or **Deny** the request for control. +> [!NOTE] +> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. + ## Install Quick Assist ### Install Quick Assist from the Microsoft Store 1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5). -1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**.
:::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner."::: +1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**.
:::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner."::: For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). ### Install Quick Assist with Intune -Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. +Before installing Quick Assist, you need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. 1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com). -1. Select **Manage** / **Settings** and turn on **Show offline apps**. +1. Select **Manage** / **Settings** and enable **Show offline apps**. 1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not. 1. Search for **Quick Assist** and select it from the Search results. 1. Choose the **Offline** license and select **Get the app** 1. In the Intune admin center, choose **Sync**. 1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list. -1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link. -1. Assign the app to the required group of devices and choose **Review + save** to complete the application install. +1. Select it to view its properties. +1. By default, the app isn't assigned to any user or device, select the **Edit** link. Assign the app to the required group of devices and choose **Review + save** to complete the application install. > [!NOTE] > Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context. @@ -135,7 +141,7 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps ### Install Quick Assist Offline -To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. +To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. 1. Start **Windows PowerShell** with Administrative privileges. 1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd ` @@ -147,7 +153,7 @@ To install Quick Assist offline, you'll need to download your APPXBUNDLE and une The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function. - For Windows 11 users, this runtime control is built in. -- For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately. +- For Windows 10 users, the Quick Assist Store app detects if WebView2 is present on launch and if necessary, installs it automatically. If an error message or prompt is shown indicating WebView2 isn't present, it needs to be installed separately. For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution) diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 5b27211b1f..bd831a11be 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -98,10 +98,10 @@ items: href: administrative-tools-in-windows-10.md - name: Use Quick Assist to help users href: quick-assist.md - - name: Create mandatory user profiles - href: mandatory-user-profile.md - name: Connect to remote Azure Active Directory-joined PC href: connect-to-remote-aadj-pc.md + - name: Create mandatory user profiles + href: mandatory-user-profile.md - name: New policies for Windows 10 href: new-policies-for-windows-10.md - name: Windows 10 default media removal policy From 11b33883f5bcb34ce8fae969005b7df4d416c76f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 8 Mar 2023 14:02:53 -0500 Subject: [PATCH 007/101] minor updates --- .../connect-to-remote-aadj-pc.md | 16 ++++++++-------- windows/client-management/quick-assist.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 6cd754549d..578f68f898 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -28,7 +28,7 @@ From its release, Windows has supported remote connections to devices joined to - Both devices (local and remote) must be running a supported version of Windows. - Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**. - - It is recommended to select **Require devices to use Network Level Authentication to connect** option. + - It's recommended to select **Require devices to use Network Level Authentication to connect** option. - If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device. - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device. @@ -52,10 +52,10 @@ To connect to the remote computer: - Specify the name of the remote computer. - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). - When prompted for credentials, specify your user name in `user@domain.com` format. -- You will be prompted to allow the Remote Desktop connection when launching a connection to a new host. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. +- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. > [!IMPORTANT] -> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), then your device must satisfy the conditional access requirements to allow connection to the remote computer. +> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. ### Disconnection when the session is locked @@ -65,7 +65,7 @@ Disconnecting the session also ensures that when the connection is relaunched af ## Connect without Azure AD Authentication -By default, RDP won't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from: +By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from: - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later. - [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later. @@ -87,7 +87,7 @@ To connect to the remote computer: ### Supported configurations -The table below lists the supported configurations for remotely connecting to an Azure AD joined device: +This table lists the supported configurations for remotely connecting to an Azure AD joined device: | **Criteria** | **Client operating system** | **Supported credentials** | |--------------------------------------------|-----------------------------------|--------------------------------------------------------------------| @@ -99,7 +99,7 @@ The table below lists the supported configurations for remotely connecting to an > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). > [!NOTE] -> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection. +> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through RDP resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. ## Add users to Remote Desktop Users group @@ -113,12 +113,12 @@ Remote Desktop Users group is used to grant users and groups permissions to remo net localgroup "Remote Desktop Users" /add "AzureAD\" ``` - In order to execute this command, you must be a member of the local Administrators group. Otherwise, you'll get an error similar to "There is no such global user or group: ``". + In order to execute this command, you must be a member of the local Administrators group. Otherwise, you may see an error similar to `There is no such global user or group: `. - **Adding users using policy**: Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). -## Related topics +## Related articles [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 51ef10e461..710b726e76 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -27,7 +27,7 @@ Quick Assist is a Microsoft Store application that enables a person to share the All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. > [!IMPORTANT] -> Quick Assist is not available in Azure Government. +> Quick Assist is not available in the Azure Government cloud. ### Authentication From 7f62cd21739fd57c1d48a99f985e90bfff71c43b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 8 Mar 2023 14:06:55 -0500 Subject: [PATCH 008/101] another minor change --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 578f68f898..55566d9e65 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -37,7 +37,7 @@ From its release, Windows has supported remote connections to devices joined to Azure AD Authentication can be used on the following operating systems: - Windows 11 with [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed. -- Windows 10, versions 20H2 or later with [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed. +- Windows 10, version 20H2 or later with [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed. - Windows Server 2022 with [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed. There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: From 4673f83bbfe2a15e01fe92ccda6e97b1fa5a9079 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 8 Mar 2023 16:14:15 -0500 Subject: [PATCH 009/101] Moving headers --- .../connect-to-remote-aadj-pc.md | 4 +- windows/client-management/quick-assist.md | 66 ++++++++----------- 2 files changed, 31 insertions(+), 39 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 55566d9e65..f65357896a 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -9,8 +9,8 @@ ms.date: 01/18/2022 manager: aaroncz ms.topic: article appliesto: - - ✅ Windows 10 - - ✅ Windows 11 + - ✅ Windows 10 and later + - ✅ Windows 11 and later ms.collection: - highpri - tier2 diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 710b726e76..3da7ff8050 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -10,8 +10,8 @@ ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal appliesto: - - ✅ Windows 10 - - ✅ Windows 11 + - ✅ Windows 10 and later + - ✅ Windows 11 and later ms.collection: - highpri - tier1 @@ -57,41 +57,6 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis > [!IMPORTANT] > Quick Assist uses Edge WebView2 browser control. For a list of domain URLs that you need to add to the allow list to ensure that the Edge WebView2 browser control can be installed and updated, see [Allow list for Microsoft Edge endpoints](/deployedge/microsoft-edge-security-endpoints). -## How it works - -1. Both the helper and the sharer start Quick Assist. - -2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. - -3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. - -4. The helper is prompted to select **View Only** or **Full Control**. - -5. The sharer is prompted to confirm allowing the helper to share their desktop with the helper. - -6. Quick Assist starts RDP control and connects to the RDP Relay service. - -7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. - -:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established."::: - -### Data and privacy - -Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information: - -- Start and end time of the session - -- Errors arising from Quick Assist itself, such as unexpected disconnections - -- Features used inside the app such as view only, annotation, and session pause - -> [!NOTE] -> No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session. -> -> The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days. - -In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. - ## Working with Quick Assist Either the support staff or a user can start a Quick Assist session. @@ -110,6 +75,33 @@ Either the support staff or a user can start a Quick Assist session. > [!NOTE] > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. +## How it works + +1. Both the helper and the sharer start Quick Assist. +1. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. +1. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. +1. The helper is prompted to select **View Only** or **Full Control**. +1. The sharer is prompted to confirm allowing the helper to share their desktop with the helper. +1. Quick Assist starts RDP control and connects to the RDP Relay service. +1. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. + +:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established."::: + +### Data and privacy + +Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information: + +- Start and end time of the session +- Errors arising from Quick Assist itself, such as unexpected disconnections +- Features used inside the app such as view only, annotation, and session pause + +> [!NOTE] +> No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session. +> +> The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days. + +In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. + ## Install Quick Assist ### Install Quick Assist from the Microsoft Store From 2c722dbbdd75f8860a71053f4dc71d004254d930 Mon Sep 17 00:00:00 2001 From: Amy Zhou Date: Wed, 8 Mar 2023 14:48:09 -0800 Subject: [PATCH 010/101] add doc changes for the private preview --- windows/deployment/do/mcc-enterprise-deploy.md | 6 ++---- .../do/mcc-isp-create-provision-deploy.md | 2 ++ windows/deployment/do/mcc-isp.md | 18 ++++++++++-------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index 52b3515a34..1d0d719906 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -157,9 +157,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p > > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. -#### If you're installing MCC on a local virtual machine - -1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing. +1. **If you're installing MCC on a local virtual machine**, turn the virtual machine **off** while you enable nested virtualization and MAC spoofing. 1. Enable nested virtualization: ```powershell @@ -229,7 +227,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p 1. Your MCC deployment is now complete. - 1. If you don't see any errors, continue to the next section to validate your MCC deployment. + 1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM. 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article. diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index 885330563a..9ac8afe416 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -98,6 +98,8 @@ There are five IDs that the device provisioning script takes as input in order t | Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | | Registration key | Single use device registration key used by Microsoft Delivery Optimization services. | +#### Provision your server + :::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: 1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 0860339ed3..f32082bbc9 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -61,7 +61,9 @@ The following steps describe how MCC is provisioned and used: ## ISP requirements for MCC -### Azure subscription +Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding. + + -## Steps to deploy MCC + -## Install MCC + ## Verify properly functioning MCC server @@ -523,7 +525,7 @@ To run the script: 1. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process. --> -## Updating your MCC + ### Configure BGP on an Existing MCC From 4b477a35ba5aa60e4b80d9c8b8579b77b160882d Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 8 Mar 2023 17:50:02 -0800 Subject: [PATCH 011/101] Update faq-md-app-guard.yml --- .../faq-md-app-guard.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index a2c40f975e..6238c15bee 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -229,7 +229,12 @@ sections: answer: | - Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create). - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**. - + + - question: | + Is for a way to enable/disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site? + answer: | + Yes. Use this Edge flag to enable/disable this behavior: --disable-features="msWdagAutoCloseNavigatedTabs" + additionalContent: | ## See also From 42d38e7650c945a15823daf5475390a2041295fd Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 9 Mar 2023 09:22:00 -0800 Subject: [PATCH 012/101] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../faq-md-app-guard.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 6238c15bee..005b4ad629 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -231,9 +231,10 @@ sections: - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**. - question: | - Is for a way to enable/disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site? + Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site? answer: | - Yes. Use this Edge flag to enable/disable this behavior: --disable-features="msWdagAutoCloseNavigatedTabs" + Yes. Use this Edge flag to enable or disable this behavior: + --disable-features="msWdagAutoCloseNavigatedTabs" additionalContent: | From c96a88b345dd20505c7a39854a5e87b7d4bd70c2 Mon Sep 17 00:00:00 2001 From: Mitchell Schmidt <74631052+mitschmi@users.noreply.github.com> Date: Thu, 9 Mar 2023 10:28:05 -0800 Subject: [PATCH 013/101] Remove references to Kerberos There's a known security vulnerability with AuthIP + Kerberos. Since AuthIP is on the path to being deprecated, and we have a security bug for this issue, want to clean documentation of using AuthIP + Kerberos. --- .../create-an-authentication-request-rule.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index b8efe4ed2a..a32b7432ef 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -39,18 +39,12 @@ To create the authentication request rule: 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure. - 2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - 3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. - - 4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario. + 2. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario. 6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. The **First authentication method** can be one of the following: - - **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. @@ -61,8 +55,6 @@ To create the authentication request rule: The **Second authentication method** can be one of the following: - - **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1. - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. From 2b53fe390c837539f4fab215730936aadaa380ca Mon Sep 17 00:00:00 2001 From: Mitchell Schmidt <74631052+mitschmi@users.noreply.github.com> Date: Thu, 9 Mar 2023 10:29:01 -0800 Subject: [PATCH 014/101] Remove references to Kerberos There's a known security vulnerability with AuthIP + Kerberos. Since AuthIP is on the path to being deprecated, and we have a security bug for this issue, want to clean documentation of using AuthIP + Kerberos. --- .../configure-authentication-methods.md | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index bab0dffc8e..5dd682de3c 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -32,20 +32,12 @@ To complete these procedures, you must be a member of the Domain Administrators 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default. - 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. + 2. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. - 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - - 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. - - 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. - - 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + 3. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. The first authentication method can be one of the following methods: - - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. @@ -56,8 +48,6 @@ To complete these procedures, you must be a member of the Domain Administrators The second authentication method can be one of the following methods: - - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. From 2f03d61118ea563ab2ef7f6cd63b984ff3cc2596 Mon Sep 17 00:00:00 2001 From: scottmca <89857809+scottmca@users.noreply.github.com> Date: Thu, 9 Mar 2023 15:14:52 -0500 Subject: [PATCH 015/101] Update provisioning-install-icd.md Customer could not find this issue because of the lack of good description. Added some additional keyboards/description to help customers find this issue better --- .../provisioning-packages/provisioning-install-icd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 8796ceac18..9e11f2f5e5 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-). -- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device. +- Windows Configuration Designer will not up to the standard size button with steps for the guided wizard. Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device. - You can only run one instance of Windows Configuration Designer on your computer at a time. From d1dbbe6c7bb36a3ff8cad1ae4885630ffe52dc45 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 9 Mar 2023 12:29:49 -0800 Subject: [PATCH 016/101] Revert "Add documentation for ScanBeforeInitialLogonAllowed" --- windows/deployment/update/waas-wu-settings.md | 26 ++++++------------- 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 63f165899e..af807a712a 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -9,12 +9,17 @@ manager: aaroncz ms.topic: article ms.collection: highpri, tier2 ms.technology: itpro-updates -ms.date: 03/09/2023 +ms.date: 01/06/2023 --- # Manage additional Windows Update settings -***(Applies to: Windows 11 & Windows 10)*** + +**Applies to** + +- Windows 10 +- Windows 11 + > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -32,8 +37,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All | | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 | | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All | -| | [Windows Update notifications display organization name](#bkmk_display-name)

*Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered | -| | [Allow Windows updates to install before initial user sign-in](#allow-windows-update-before-initial-sign-in) | Windows 11 version 22H2 | +| | [Windows Update notifications display organization name](#bkmk_display-name)

*Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered | >[!IMPORTANT] >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**. @@ -279,17 +283,3 @@ if (!(Test-Path $registryPath)) New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null ``` - -## Allow Windows updates to install before initial user sign-in -*(Starting in Windows 11, version 22H2)* - -On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later. - -In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in: - -- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator -- **DWORD value name**: ScanBeforeInitialLogonAllowed -- **Value data**: 1 - -> [!Warning] -> This value is designed to be used only for scenarios with a deferred initial user sign in. Setting this value on devices where initial user sign in isn't delayed could have a detrimental effect on performance since it may allow update work to occur as the user is signing in for the first time. From 509670a105a74049b570281127aab9e21e7b50e4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Mar 2023 10:49:28 -0500 Subject: [PATCH 017/101] updates to WHFB articles --- .../hello-adequate-domain-controllers.md | 26 +++++++------- .../hello-feature-dynamic-lock.md | 36 ++++++++----------- .../hello-feature-pin-reset.md | 15 +++----- 3 files changed, 33 insertions(+), 44 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 32dc3ba63e..7a9614f71c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,23 +1,23 @@ --- title: Having enough Domain Controllers for Windows Hello for Business deployments -description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -ms.date: 08/20/2018 +description: Guide for planning to have an adequate number of Domain Controllers for Windows Hello for Business deployments +ms.date: 03/10/2023 appliesto: - ✅ Windows 10 and later - ✅ Windows Server 2016 and later -ms.topic: article +ms.topic: conceptual --- -# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments +# Plan an adequate number of Domain Controllers for Windows Hello for Business deployments > [!NOTE] ->There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). +>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044). ## How many is adequate How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged. Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller. - + Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: @@ -55,7 +55,7 @@ The preceding was an example to show why it's unrealistic to have a "one-size-fi ## Determining total AS Request load Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. - + Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours: - A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant @@ -72,15 +72,15 @@ Aggregate the performance data of all domain controllers. Look for the maximum K Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiply the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. - + ## Monitoring Authentication Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016 or newer. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as: ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` -Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. - +Where *n* equals the number of clients you switched to Windows Hello for Business and *x* equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. + Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. @@ -88,9 +88,9 @@ Increasing the number of domain controllers distributes the volume of authentica ## Strategy The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold. - + Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environment's designated capacity, you can upgrade another domain controller. - + Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume. - + However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically-configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 9f461f9697..9268eb6f52 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,33 +1,38 @@ --- title: Dynamic lock -description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.date: 07/12/2022 +description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value. +ms.date: 03/10/2023 appliesto: - ✅ Windows 10 and later -ms.topic: article +ms.topic: how-to --- # Dynamic lock -Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. +Dynamic lock is a feature that automatically locks a Windows device when a Bluetooth paired phone signal falls below the maximum Received Signal Strength Indicator (RSSI) value. The feature makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. > [!IMPORTANT] -> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it. +> The dynamic lock feature only locks the device if the Bluetooth signal falls **and** the system is idle. If the system isn't idle (for example, an intruder gets access *before* the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it. -You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. +You can configure Windows devices to use the **dynamic lock** using a Group Policy Object (GPO). + +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. +1. Edit the Group Policy object from Step 1. +1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. +1. Close the Group Policy Management Editor to save the Group Policy object. The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: -``` +```xml - + ``` >[!IMPORTANT] >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. -For this policy setting, the **type** and **scenario** attribute values are static and cannot change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phones and uses the values from the following table: +For this policy setting, the **type** and **scenario** attribute values are static and can't change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: |Description|Value| |:-------------|:-------:| @@ -43,17 +48,6 @@ For this policy setting, the **type** and **scenario** attribute values are stat |Health|2304| |Uncategorized|7936| -The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. +The **rssiMin** attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. - -## Related topics - -* [Windows Hello for Business](hello-identity-verification.md) -* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -* [Windows Hello and password changes](hello-and-password-changes.md) -* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 7b1fdf338f..ea7e72e5d4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -4,10 +4,10 @@ description: Learn how Microsoft PIN reset services enable you to help users rec ms.collection: - highpri - tier1 -ms.date: 07/29/2022 +ms.date: 03/10/2023 appliesto: - ✅ Windows 10 and later -ms.topic: article +ms.topic: how-to --- # PIN reset @@ -20,12 +20,10 @@ There are two forms of PIN reset: - **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature. ## Using PIN reset - There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. - >[!IMPORTANT] >For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. @@ -35,7 +33,6 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI 1. Open **Settings**, select **Accounts** > **Sign-in options**. 1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions. - ### Reset PIN above the Lock Screen For Azure AD-joined devices: @@ -46,7 +43,6 @@ For Azure AD-joined devices: 1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. - For Hybrid Azure AD-joined devices: 1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. @@ -58,14 +54,14 @@ For Hybrid Azure AD-joined devices: > [!NOTE] > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. -You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). +You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). ## Non-Destructive PIN reset **Requirements:** - Azure Active Directory -- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903. +- Windows Enterprise and Pro editions. There's no licensing requirement for this feature. - Hybrid Windows Hello for Business deployment - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined @@ -83,7 +79,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi |Category|Destructive PIN Reset|Non-Destructive PIN Reset| |--- |--- |--- | |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| -|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| +|**Windows editions and versions**| Windows Enterprise and Pro editions.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| |**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| @@ -94,7 +90,6 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi > The **Microsoft PIN Reset Service** is not currently available in Azure Government. - ### Enable the Microsoft PIN Reset Service in your Azure AD tenant Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant: From 06910d2a61c6c8c4712ddac7169a0a65e8badd9d Mon Sep 17 00:00:00 2001 From: scottmca <89857809+scottmca@users.noreply.github.com> Date: Fri, 10 Mar 2023 10:50:28 -0500 Subject: [PATCH 018/101] Update provisioning-install-icd.md fixing typo in original request --- .../provisioning-packages/provisioning-install-icd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 9e11f2f5e5..c99c866a8c 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-). -- Windows Configuration Designer will not up to the standard size button with steps for the guided wizard. Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device. +- Windows Configuration Designer will not display the the standard size buttons with steps for the guided wizard. Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device. - You can only run one instance of Windows Configuration Designer on your computer at a time. From d39bf963d04928f2a9df8a9bf720f88da124b9f4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Mar 2023 10:52:57 -0500 Subject: [PATCH 019/101] udpate --- .../hello-for-business/hello-adequate-domain-controllers.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 7a9614f71c..6607d17abb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,6 +1,6 @@ --- -title: Having enough Domain Controllers for Windows Hello for Business deployments -description: Guide for planning to have an adequate number of Domain Controllers for Windows Hello for Business deployments +title: Plan an adequate number of Domain Controllers for Windows Hello for Business deployments +description: Learn how to plan for an adequate number of Domain Controllers to support Windows Hello for Business deployments. ms.date: 03/10/2023 appliesto: - ✅ Windows 10 and later From d75fe7196f6a067f6bdbcf10e8493e7525743ea8 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 10 Mar 2023 12:20:23 -0500 Subject: [PATCH 020/101] Updating for style, clarity, and grammar Updating for style, clarity, and grammar --- .../provisioning-packages/provisioning-install-icd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index c99c866a8c..e92747be63 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-). -- Windows Configuration Designer will not display the the standard size buttons with steps for the guided wizard. Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device. +- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled. - You can only run one instance of Windows Configuration Designer on your computer at a time. From 36d39dbfcea1289fd1fab4ece2fd9b24c3210e48 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 10 Mar 2023 11:02:27 -0800 Subject: [PATCH 021/101] Added topic describing the inbox WDAC policies --- .../TOC.yml | 6 ++- .../operations/inbox-wdac-policies.md | 45 +++++++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index cacb1ef857..eda6b8332a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -107,10 +107,10 @@ - name: WDAC operational guide href: windows-defender-application-control-operational-guide.md items: - - name: Understanding Application Control event tags - href: event-tag-explanations.md - name: Understanding Application Control event IDs href: event-id-explanations.md + - name: Understanding Application Control event tags + href: event-tag-explanations.md - name: Query WDAC events with Advanced hunting href: querying-application-control-events-centrally-using-advanced-hunting.md - name: Known Issues @@ -119,6 +119,8 @@ href: configure-wdac-managed-installer.md - name: CITool.exe technical reference href: operations/citool-commands.md + - name: Inbox WDAC policies + href: operations/inbox-wdac-policies.md - name: WDAC AppId Tagging guide href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md items: diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md b/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md new file mode 100644 index 0000000000..3ade157db4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md @@ -0,0 +1,45 @@ +--- +title: Inbox WDAC policies +description: This article describes the inbox WDAC policies that may be active on a device. +keywords: security, malware +ms.prod: windows-client +audience: ITPro +author: jsuther1974 +ms.reviewer: jogeurte +ms.author: jogeurte +ms.manager: jsuther +manager: aaroncz +ms.date: 03/10/2023 +ms.technology: itpro-security +ms.topic: article +ms.localizationpriority: medium +--- + +# Inbox WDAC policies + +**Applies to:** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). + +This article describes the Windows Defender Application Control (WDAC) policies that ship inbox with Windows and may be active on your devices. To see which policies are active on your device, use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) or check the *CodeIntegrity - Operational* event log for 3099 policy activation events. + +## Inbox WDAC Policies + +| **Policy Name** | **Policy ID** | **Policy Type** | **Description** | +|-----------|-----------|-----------|-----------| +| **Microsoft Windows Driver Policy** | {d2bda982-ccf6-4344-ac5b-0b44427b6816} | Kernel-only Base policy | This policy blocks known [vulnerable or malicious kernel drivers](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules). It's active by default on Windows 11 22H2, [Windows in S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85), [Windows 11 SE](/education/windows/windows-11-se-overview), and anywhere [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity (HVCI)) is on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\driversipolicy.p7b` and in the EFI system partition at `\Microsoft\Boot\driversipolicy.p7b`. | +| **Windows10S_Lockdown_Policy_Supplementable** | {5951a96a-e0b5-4d3d-8fb8-3e5b61030784} | Base policy | This policy is active on devices running [Windows in S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). Its policy binary file is found in the EFI system partition at `\Microsoft\Boot\winsipolicy.p7b`. | +| **WindowsE_Lockdown_Policy** | {82443e1e-8a39-4b4a-96a8-f40ddc00b9f3} | Base policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview). Its policy binary file is found in the EFI system partition at `\Microsoft\Boot\CIPolicies\Active\{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}.cip`. | +| **WindowsE_Lockdown_Flight_Policy_Supplemental** | {5dac656c-21ad-4a02-ab49-649917162e70} | Supplemental policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview) that are enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found in the EFI system partition at `\Microsoft\Boot\CIPolicies\Active\{5dac656c-21ad-4a02-ab49-649917162e70}.cip`. | +| **WindowsE_Lockdown_Test_Policy_Supplemental** | {CDD5CB55-DB68-4D71-AA38-3DF2B6473A52} | Supplemental policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview) with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found in the EFI system partition at `\Microsoft\Boot\CIPolicies\Active\{CDD5CB55-DB68-4D71-AA38-3DF2B6473A52}.cip`. | +| **VerifiedAndReputableDesktop** | {0283ac0f-fff1-49ae-ada1-8a933130cad6} | Base policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{0283ac0f-fff1-49ae-ada1-8a933130cad6}.cip`. | +| **VerifiedAndReputableDesktopFlightSupplemental** | {1678656c-05ef-481f-bc5b-ebd8c991502d} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on and enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1678656c-05ef-481f-bc5b-ebd8c991502d}.cip`. | +| **VerifiedAndReputableDesktopTestSupplemental** | {0939ED82-BFD5-4D32-B58E-D31D3C49715A} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{0939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip`. | +| **VerifiedAndReputableDesktopEvaluation** | {1283ac0f-fff1-49ae-ada1-8a933130cad6} | Base policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode*. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1283ac0f-fff1-49ae-ada1-8a933130cad6}.cip`. | +| **VerifiedAndReputableDesktopEvaluationFlightSupplemental** | {2678656c-05ef-481f-bc5b-ebd8c991502d} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode* and enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{2678656c-05ef-481f-bc5b-ebd8c991502d}.cip`. | +| **VerifiedAndReputableDesktopEvaluationTestSupplemental** | {1939ED82-BFD5-4D32-B58E-D31D3C49715A} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode* and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip`. | From ed650fcc6c9e4060a82591d266dc035936af3e2c Mon Sep 17 00:00:00 2001 From: Bart Billiet Date: Fri, 10 Mar 2023 21:12:24 +0100 Subject: [PATCH 022/101] Fix URL --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index de180d4626..082c1adff9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -238,7 +238,7 @@ sections: - attempting to access on-premises resources secured by Active Directory - question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][/windows/security/identity-protection/remote-credential-guard] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. + Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. - question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust? answer: | No, only the number necessary to handle the load from all cloud Kerberos trust devices. From 3e2d0d266854819e50de4a9ae95fb61dcec9b9ff Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 10 Mar 2023 14:15:01 -0700 Subject: [PATCH 023/101] Apply suggestions from code review Line 35: Delete extra space. --- .../hello-for-business/hello-feature-dynamic-lock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 9268eb6f52..5fea59fc25 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -32,7 +32,7 @@ The Group Policy Editor, when the policy is enabled, creates a default signal ru >[!IMPORTANT] >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. -For this policy setting, the **type** and **scenario** attribute values are static and can't change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: +For this policy setting, the **type** and **scenario** attribute values are static and can't change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table: |Description|Value| |:-------------|:-------:| From c0b7abffb8c1c1b7ccf895ed8be2b47d50e18f2a Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 10 Mar 2023 14:59:01 -0800 Subject: [PATCH 024/101] Update delete-an-applocker-rule.md --- .../applocker/delete-an-applocker-rule.md | 60 +++++++++---------- 1 file changed, 27 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index ca59bdbda8..29e96b0c68 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -13,7 +13,7 @@ author: vinaypamnani-msft manager: aaroncz audience: ITPro ms.topic: conceptual -ms.date: 11/09/2020 +ms.date: 03/10/2023 ms.technology: itpro-security --- @@ -28,65 +28,59 @@ ms.technology: itpro-security >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This article for IT professionals describes the steps to delete an AppLocker rule. +This article for IT professionals describes the steps to delete an AppLocker rule. -As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. +As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running. For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer -AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). +You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). -These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy won't override those settings. +These steps apply only for locally managed devices. Any AppLocker policies delivered through MDM or Group Policy must be removed using those tools. ## To delete a rule in an AppLocker policy -1. Open the AppLocker console. -2. Click the appropriate rule collection for which you want to delete the rule. -3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**. +1. Open the AppLocker console. +2. Select the appropriate rule collection for which you want to delete the rule. +3. In the details pane, right-click the rule to delete, select **Delete**, and then select **Yes**. -> [!Note] +> [!NOTE] +> > - When using Group Policy, the Group Policy Object must be distributed or refreshed for rule deletion to take effect on devices. -> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`. +> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`. When the following procedure is performed on the local device, the AppLocker policy takes effect immediately. ## To clear AppLocker policies on a single system or remote systems -Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents: -```xml - - - - - - - - -``` - -To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules: +First import the AppLocker modules for PowerShell: ```powershell PS C:\Users\Administrator> import-module AppLocker ``` -We'll create a file (for example, clear.xml), place it in the same directory where we're executing our cmdlet, and add the preceding XML contents. Then run the following command: +Create a file called clear.xml with the following XML content and save it to your desktop. -```powershell -C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml +```xml + ``` -This command will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. +Then run the following command from an elevated PowerShell session to remove all local AppLocker policies from the device: -The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy. +```powershell +C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy $env:USERPROFILE\Desktop\clear.xml +``` + +Run the following PowerShell commands to stop the AppLocker services and change their startup configuration. ```powershell appidtel.exe stop [-mionly] sc.exe config appid start=demand sc.exe config appidsvc start=demand sc.exe config applockerfltr start=demand -sc stop applockerfltr -sc stop appidsvc -sc stop appid -``` \ No newline at end of file +sc.exe stop applockerfltr +sc.exe stop appidsvc +sc.exe stop appid +``` + +All of these steps can be run on a single machine or deployed as a script to multiple devices. From 2292b0c7cf7f91caa96cc5d9b6c61cc57f1233b6 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 10 Mar 2023 15:06:19 -0800 Subject: [PATCH 025/101] Update delete-an-applocker-rule.md --- .../applocker/delete-an-applocker-rule.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 29e96b0c68..3d51267223 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -28,7 +28,7 @@ ms.technology: itpro-security >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This article for IT professionals describes the steps to delete an AppLocker rule. +This article for IT professionals describes the steps to delete AppLocker rules. As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running. From 8fca7a16f36b6f8653b2bcb143c771a5a518d7d4 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 10 Mar 2023 20:01:35 -0500 Subject: [PATCH 026/101] PDE Intune Config Updates --- .../configure-pde-in-intune.md | 366 ++++++++++++------ 1 file changed, 239 insertions(+), 127 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index e42dd1f9c9..7f2563f0db 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 12/13/2022 +ms.date: 03/10/2023 --- @@ -21,241 +21,353 @@ ms.date: 12/13/2022 ### Enable Personal Data Encryption (PDE) -1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration Profiles** +1. In the **Home** screen, select **Devices**. -3. Select **Create profile** +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. Under **Platform**, select **Windows 10 and later** +1. In the **Devices | Configuration profiles screen**, select **Create profile**. -5. Under **Profile type**, select **Templates** +1. In the **Create profile** window: -6. Under **Template name**, select **Custom**, and then select **Create** + 1. Under **Platform**, select **Windows 10 and later**. -7. In **Basics**: + 1. Under **Profile type**, select **Templates**. - 1. Next to **Name**, enter **Personal Data Encryption** - 2. Next to **Description**, enter a description + 1. When the templates appears, under **Template name**, select **Custom**. -8. Select **Next** + 1. Select **Create**. -9. In **Configuration settings**, select **Add** +1. In the **Basics** page of the **Custom** screen: -10. In **Add Row**: + 1. Next to **Name**, enter **Personal Data Encryption**. - 1. Next to **Name**, enter **Personal Data Encryption** - 2. Next to **Description**, enter a description - 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** - 4. Next to **Data type**, select **Integer** - 5. Next to **Value**, enter in **1** + 1. Next to **Description**, enter a description. -11. Select **Save**, and then select **Next** + 1. Select **Next**. -12. In **Assignments**: +1. In **Configuration settings** page: - 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the PDE policy should be deployed to - 3. Select **Select** - 4. Select **Next** + 1. Select **Add**. -13. In **Applicability Rules**, configure if necessary and then select **Next** + 1. In the **Add Row** pane: -14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + 1. Next to **Name**, enter **Personal Data Encryption**. + 1. Next to **Description**, enter a description. + 1. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**. + 1. Next to **Data type**, select **Integer**. + 1. Next to **Value**, enter in **1**. + 1. Select **Save**. + + 1. Select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Applicability Rules**, configure if necessary and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. ### Disable Winlogon automatic restart sign-on (ARSO) -1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration Profiles** +1. In the **Home** screen, select **Devices**. -3. Select **Create profile** +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. Under **Platform**, select **Windows 10 and later** +1. In the **Devices | Configuration profiles screen**, select **Create profile**. -5. Under **Profile type**, select **Templates** +1. In the **Create profile** window: -6. Under **Template name**, select **Administrative templates**, and then select **Create** + 1. Under **Platform**, select **Windows 10 and later**. -7. In **Basics**: + 1. Under **Profile type**, select **Templates**. - 1. Next to **Name**, enter **Disable ARSO** - 2. Next to **Description**, enter a description + 1. When the templates appears, under **Template name**, select **Administrative templates**. -8. Select **Next** + 1. Select **Create**. -9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options** +1. In the **Basics** page of the **Create profile** screen: -10. Select **Sign-in and lock last interactive user automatically after a restart** + 1. Next to **Name**, enter **Disable ARSO**. -11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + 1. Next to **Description**, enter a description. -12. Select **Next** + 1. Select **Next**. -13. In **Scope tags**, configure if necessary and then select **Next** +1. In the **Configuration settings** page: -14. In **Assignments**: + 1. At the top of the page, make sure **Computer Configuration** is selected. - 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the ARSO policy should be deployed to - 3. Select **Select** - 4. Select **Next** + 1. Under **Setting name**, scroll down and select **Windows Components**. -15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option. + + 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. + + 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + + 1. Select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. ## Security hardening recommendations ### Disable kernel-mode crash dumps and live dumps -1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration Profiles** +1. In the **Home** screen, select **Devices**. -3. Select **Create profile** +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. Under **Platform**, select **Windows 10 and later** +1. In the **Devices | Configuration profiles screen**, select **Create profile**. -5. Under **Profile type**, select **Settings catalog**, and then select **Create** +1. In the **Create profile** window: -6. In **Basics**: + 1. Under **Platform**, select **Windows 10 and later**. - 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** - 2. Next to **Description**, enter a description + 1. Under **Profile type**, select **Settings catalog**. -7. Select **Next** + 1. Select **Create**. -8. In **Configuration settings**, select **Add settings** +1. In the **Basics** page of the **Create profile** screen: -9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump** + 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. -10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Next to **Description**, enter a description. -11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next** + 1. Select **Next**. -12. In **Scope tags**, configure if necessary and then select **Next** +1. In the **Configuration settings** page: -13. In **Assignments**: + 1. Select **Add settings**. + 1. In the **Settings picker** pane: - 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the disable crash dumps policy should be deployed to - 3. Select **Select** - 4. Select **Next** + 1. Under **Browse by category**, scroll down and select **Memory Dump**. -14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + 1. When the settings for the **Memory Dump** category appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. ### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps -1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration Profiles** +1. In the **Home** screen, select **Devices**. -3. Select **Create profile** +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. Under **Platform**, select **Windows 10 and later** +1. In the **Devices | Configuration profiles screen**, select **Create profile**. -5. Under **Profile type**, select **Settings catalog**, and then select **Create** +1. In the **Create profile** window: -6. In **Basics**: + 1. Under **Platform**, select **Windows 10 and later**. - 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** - 2. Next to **Description**, enter a description + 1. Under **Profile type**, select **Settings catalog**. -7. Select **Next** + 1. Select **Create**. -8. In **Configuration settings**, select **Add settings** +1. In the **Basics** page of the **Create profile** screen: -9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting** + 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. -10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Next to **Description**, enter a description. -11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next** + 1. Select **Next**. -12. In **Scope tags**, configure if necessary and then select **Next** +1. In the **Configuration settings** page: -13. In **Assignments**: + 1. Select **Add settings**. - 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the disable WER dumps policy should be deployed to - 3. Select **Select** - 4. Select **Next** + 1. In the **Settings picker** window: -14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + + 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. + + 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. + + 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. + + 1. select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. ### Disable hibernation -1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration Profiles** +1. In the **Home** screen, select **Devices**. -3. Select **Create profile** +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. Under **Platform**, select **Windows 10 and later** +1. In the **Devices | Configuration profiles screen**, select **Create profile**. -5. Under **Profile type**, select **Settings catalog**, and then select **Create** +1. In the **Create profile** window: -6. In **Basics**: + 1. Under **Platform**, select **Windows 10 and later**. - 1. Next to **Name**, enter **Disable Hibernation** - 2. Next to **Description**, enter a description + 1. Under **Profile type**, select **Settings catalog**. -7. Select **Next** + 1. Select **Create**. -8. In **Configuration settings**, select **Add settings** +1. In the **Basics** page of the **Create profile** screen: -9. In the **Settings picker** window, under **Browse by category**, select **Power** + 1. Next to **Name**, enter **Disable Hibernation**. -10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Next to **Description**, enter a description. -11. Change **Allow Hibernate** to **Block**, and then select **Next** + 1. Select **Next**. -12. In **Scope tags**, configure if necessary and then select **Next** +1. In the **Configuration settings** page: -13. In **Assignments**: + 1. select **Add settings**. - 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the disable hibernation policy should be deployed to - 3. Select **Select** - 4. Select **Next** + 1. In the **Settings picker** window: -14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + 1. Under **Browse by category**, scroll down and select **Power**. + + 1. When the settings for the **Power** category appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. + + 1. Select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. ### Disable allowing users to select when a password is required when resuming from connected standby -1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration Profiles** +1. In the **Home** screen, select **Devices**. -3. Select **Create profile** +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. Under **Platform**, select **Windows 10 and later** +1. In the **Devices | Configuration profiles screen**, select **Create profile**. -5. Under **Profile type**, select **Settings catalog**, and then select **Create** +1. In the **Create profile** window: -6. In **Basics**: + 1. Under **Platform**, select **Windows 10 and later**. - 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby** - 2. Next to **Description**, enter a description + 1. Under **Profile type**, select **Settings catalog**. -7. Select **Next** + 1. Select **Create**. -8. In **Configuration settings**, select **Add settings** +1. In the **Basics** page of the **Create profile** screen: -9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon** + 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. -10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Next to **Description**, enter a description. -11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next** + 1. Select **Next**. -12. In **Scope tags**, configure if necessary and then select **Next** +1. In the **Configuration settings** page: -13. In **Assignments**: + 1. Select **Add settings**. - 1. Under **Included groups**, select **Add groups** - 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to - 3. Select **Select** - 4. Select **Next** + 1. In the **Settings picker** window: -14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create** + 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + + 1. Under **Administrative Templates**, scroll down and expand **System**. + + 1. Under **System**, scroll down and select **Logon**. + + 1. When the settings for the **Logon** subcategory appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. + + 1. select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. ## See also From 8b43a9b1c231f09dcdcd072d771b3ebb5312b643 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 10 Mar 2023 21:06:03 -0500 Subject: [PATCH 027/101] PDE Intune Config Updates 2 --- windows/security/TOC.yml | 16 +- .../configure-pde-in-intune.md | 350 +----------------- .../personal-data-encryption/overview-pde.md | 20 +- .../pde-in-intune/intune-disable-arso.md | 73 ++++ .../intune-disable-hibernation.md | 73 ++++ .../intune-disable-memory-dumps.md | 70 ++++ ...tune-disable-password-connected-standby.md | 93 +++++ .../pde-in-intune/intune-disable-wer.md | 77 ++++ .../pde-in-intune/intune-enable-pde.md | 76 ++++ 9 files changed, 495 insertions(+), 353 deletions(-) create mode 100644 windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md create mode 100644 windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md create mode 100644 windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md create mode 100644 windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md create mode 100644 windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md create mode 100644 windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d2d1fa36bd..53b5503c72 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -162,7 +162,21 @@ - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) href: information-protection/personal-data-encryption/faq-pde.yml - name: Configure Personal Data Encryption (PDE) in Intune - href: information-protection/personal-data-encryption/configure-pde-in-intune.md + items: + - name: Configure Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/configure-pde-in-intune.md + - name: Enable Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md + - name: Disable Winlogon automatic restart sign-on (ARSO) + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md + - name: Disable kernel-mode crash dumps and live dumps + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md + - name: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md + - name: Disable hibernation + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md + - name: Disable allowing users to select when a password is required when resuming from connected standby + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md - name: Configure S/MIME for Windows href: identity-protection/configure-s-mime.md - name: Network security diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 7f2563f0db..4c21c312f0 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -17,357 +17,23 @@ ms.date: 03/10/2023 # Configure Personal Data Encryption (PDE) policies in Intune +The various required and recommended polices needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instruction son how to configure these policies in Intune. + ## Required prerequisites -### Enable Personal Data Encryption (PDE) +1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md) -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Templates**. - - 1. When the templates appears, under **Template name**, select **Custom**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Custom** screen: - - 1. Next to **Name**, enter **Personal Data Encryption**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In **Configuration settings** page: - - 1. Select **Add**. - - 1. In the **Add Row** pane: - - 1. Next to **Name**, enter **Personal Data Encryption**. - 1. Next to **Description**, enter a description. - 1. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**. - 1. Next to **Data type**, select **Integer**. - 1. Next to **Value**, enter in **1**. - 1. Select **Save**. - - 1. Select **Next** - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Applicability Rules**, configure if necessary and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable Winlogon automatic restart sign-on (ARSO) - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Templates**. - - 1. When the templates appears, under **Template name**, select **Administrative templates**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable ARSO**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. At the top of the page, make sure **Computer Configuration** is selected. - - 1. Under **Setting name**, scroll down and select **Windows Components**. - - 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option. - - 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. - - 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** - - 1. Select **Next** - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. +1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md) ## Security hardening recommendations -### Disable kernel-mode crash dumps and live dumps +1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md) -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](pde-in-intune/intune-disable-wer.md) -1. In the **Home** screen, select **Devices**. +1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md) -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. Select **Add settings**. - 1. In the **Settings picker** pane: - - 1. Under **Browse by category**, scroll down and select **Memory Dump**. - - 1. When the settings for the **Memory Dump** category appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. Select **Add settings**. - - 1. In the **Settings picker** window: - - 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. - - 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. - - 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. - - 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. - - 1. select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable hibernation - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable Hibernation**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. select **Add settings**. - - 1. In the **Settings picker** window: - - 1. Under **Browse by category**, scroll down and select **Power**. - - 1. When the settings for the **Power** category appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. - - 1. Select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable allowing users to select when a password is required when resuming from connected standby - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. Select **Add settings**. - - 1. In the **Settings picker** window: - - 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. - - 1. Under **Administrative Templates**, scroll down and expand **System**. - - 1. Under **System**, scroll down and select **Logon**. - - 1. When the settings for the **Logon** subcategory appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. - - 1. select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. +1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md) ## See also diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index 12709e8d35..10b6a7e163 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 12/13/2022 +ms.date: 03/10/2023 --- @@ -35,7 +35,7 @@ ms.date: 12/13/2022 - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)). + - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md). - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - Remote Desktop connections @@ -44,19 +44,19 @@ ms.date: 12/13/2022 - [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) - Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps). + Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md). - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps). + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](pde-in-intune/intune-disable-wer.md). - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md). - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) - When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different: + When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - On-premises Active Directory joined devices: @@ -66,15 +66,15 @@ ms.date: 12/13/2022 The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. - - Workgroup devices, including native Azure AD joined devices: + - Workgroup devices, including Azure AD joined devices: - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. - Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured. + Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby). + For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md). ### Highly recommended @@ -135,7 +135,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. -For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde). +For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md). ## Differences between PDE and BitLocker diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md new file mode 100644 index 0000000000..539e53bc24 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -0,0 +1,73 @@ +--- +title: Disable ARSO in Intune +description: Disable ARSO in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable Winlogon automatic restart sign-on (ARSO) in Intune + +Winlogon automatic restart sign-on (ARSO) is not supported for use in conjunction with Personal Data Encryption (PDE). To disable ARSO using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Templates**. + + 1. When the templates appears, under **Template name**, select **Administrative templates**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable ARSO**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. At the top of the page, make sure **Computer Configuration** is selected. + + 1. Under **Setting name**, scroll down and select **Windows Components**. + + 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option. + + 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. + + 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + + 1. Select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md new file mode 100644 index 0000000000..0752525499 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md @@ -0,0 +1,73 @@ +--- +title: Disable hibernation in Intune +description: Disable hibernation in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable hibernation in Intune + +Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. + +To disable hibernation using Intune: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Settings catalog**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable Hibernation**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. select **Add settings**. + + 1. In the **Settings picker** window: + + 1. Under **Browse by category**, scroll down and select **Power**. + + 1. When the settings for the **Power** category appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. + + 1. Select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md new file mode 100644 index 0000000000..d81f9a7232 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -0,0 +1,70 @@ +--- +title: Disable hibernation in Intune +description: Disable hibernation in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable kernel-mode crash dumps and live dumps in Intune + +Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. + +To disable kernel-mode crash dumps and live dumps using Intune: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Settings catalog**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. Select **Add settings**. + 1. In the **Settings picker** pane: + + 1. Under **Browse by category**, scroll down and select **Memory Dump**. + + 1. When the settings for the **Memory Dump** category appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md new file mode 100644 index 0000000000..ef2e52b7ad --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md @@ -0,0 +1,93 @@ +--- +title: Disable allowing users to select when a password is required when resuming from connected standby in Intune +description: Disable allowing users to select when a password is required when resuming from connected standby in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable allowing users to select when a password is required when resuming from connected standby in Intune + +When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: + +- On-premises Active Directory joined devices: + + - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. + + - A password is required immediately after the screen turns off. + + The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. + +- Workgroup devices, including Azure AD joined devices: + + - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. + + - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. + +Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. + +To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. In the **Home** screen, select **Devices**. + +3. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +4. In the **Devices | Configuration profiles screen**, select **Create profile**. + +5. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 2. Under **Profile type**, select **Settings catalog**. + + 3. Select **Create**. + +6. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. + + 2. Next to **Description**, enter a description. + + 3. Select **Next**. + +7. In the **Configuration settings** page: + + 1. Select **Add settings**. + + 2. In the **Settings picker** window: + + 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + + 2. Under **Administrative Templates**, scroll down and expand **System**. + + 3. Under **System**, scroll down and select **Logon**. + + 4. When the settings for the **Logon** subcategory appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 3. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. + + 4. select **Next**. + +8. In the **Scope tags** page, configure if necessary and then select **Next**. + +9. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 2. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 3. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +10. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md new file mode 100644 index 0000000000..3d1e664a36 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -0,0 +1,77 @@ +--- +title: Disable allowing users to select when a password is required when resuming from connected standby in Intune +description: Disable allowing users to select when a password is required when resuming from connected standby in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune + +Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. + +To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Settings catalog**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. Select **Add settings**. + + 1. In the **Settings picker** window: + + 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + + 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. + + 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. + + 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. + + 1. select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md new file mode 100644 index 0000000000..e07428004e --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -0,0 +1,76 @@ +--- +title: Enable Personal Data Encryption (PDE) in Intune +description: Enable Personal Data Encryption (PDE) in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +### Enable Personal Data Encryption (PDE) in Intune + +To enable Personal Data Encryption (PDE) using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Templates**. + + 1. When the templates appears, under **Template name**, select **Custom**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Custom** screen: + + 1. Next to **Name**, enter **Personal Data Encryption**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In **Configuration settings** page: + + 1. Select **Add**. + + 1. In the **Add Row** pane: + + 1. Next to **Name**, enter **Personal Data Encryption**. + 1. Next to **Description**, enter a description. + 1. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**. + 1. Next to **Data type**, select **Integer**. + 1. Next to **Value**, enter in **1**. + 1. Select **Save**. + + 1. Select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Applicability Rules**, configure if necessary and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. From 88711a811b789a2169518f77bb9c85f7d794b4a8 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 10 Mar 2023 21:14:10 -0500 Subject: [PATCH 028/101] PDE Intune Config Updates 3 --- .../personal-data-encryption/configure-pde-in-intune.md | 2 +- .../pde-in-intune/intune-disable-arso.md | 2 +- .../pde-in-intune/intune-disable-memory-dumps.md | 4 ++-- .../pde-in-intune/intune-disable-wer.md | 4 ++-- .../pde-in-intune/intune-enable-pde.md | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 4c21c312f0..86d8b1bf3a 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -17,7 +17,7 @@ ms.date: 03/10/2023 # Configure Personal Data Encryption (PDE) policies in Intune -The various required and recommended polices needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instruction son how to configure these policies in Intune. +The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune. ## Required prerequisites diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md index 539e53bc24..87ae487482 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -14,7 +14,7 @@ ms.date: 03/10/2023 # Disable Winlogon automatic restart sign-on (ARSO) in Intune -Winlogon automatic restart sign-on (ARSO) is not supported for use in conjunction with Personal Data Encryption (PDE). To disable ARSO using Intune, follow the below steps: +Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). To disable ARSO using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md index d81f9a7232..d16c4bf1f5 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -1,6 +1,6 @@ --- -title: Disable hibernation in Intune -description: Disable hibernation in Intune +title: Disable kernel-mode crash dumps and live dumps in Intune +description: Disable kernel-mode crash dumps and live dumps in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md index 3d1e664a36..e83bb5eb89 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -1,6 +1,6 @@ --- -title: Disable allowing users to select when a password is required when resuming from connected standby in Intune -description: Disable allowing users to select when a password is required when resuming from connected standby in Intune +title: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune +description: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index e07428004e..77319b3e40 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -### Enable Personal Data Encryption (PDE) in Intune +# Enable Personal Data Encryption (PDE) in Intune To enable Personal Data Encryption (PDE) using Intune, follow the below steps: From 65d025e673f9da496578b9725af11cf6ef29ea12 Mon Sep 17 00:00:00 2001 From: Bart Billiet Date: Sat, 11 Mar 2023 07:22:44 +0100 Subject: [PATCH 029/101] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 082c1adff9..621663aecd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -238,7 +238,7 @@ sections: - attempting to access on-premises resources secured by Active Directory - question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. + Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose. - question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust? answer: | No, only the number necessary to handle the load from all cloud Kerberos trust devices. From 5850e7e9f3b0720d24509cf09d87bf846188c30f Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 11 Mar 2023 23:31:43 -0800 Subject: [PATCH 030/101] Uploaded file: education-content-updates.md - 2023-03-11 23:31:43.6235 --- education/includes/education-content-updates.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index bcc60c501f..e9d3004423 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,19 @@ +## Week of March 06, 2023 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 3/8/2023 | Change to Windows 10 Education from Windows 10 Pro | removed | +| 3/8/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | +| 3/8/2023 | Enable S mode on Surface Go devices for Education | removed | +| 3/8/2023 | Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode | removed | +| 3/8/2023 | Test Windows 10 in S mode on existing Windows 10 education devices | removed | +| 3/9/2023 | [Windows for Education documentation](/education/windows/index) | modified | + + ## Week of February 27, 2023 From 55c2e548a5986a6f2a4829ccbbe247dd44f592a3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 13 Mar 2023 10:33:21 -0400 Subject: [PATCH 031/101] Update faq-md-app-guard.yml Fix indentation --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 005b4ad629..c4b1201693 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -230,7 +230,7 @@ sections: - Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create). - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**. - - question: | + - question: | Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site? answer: | Yes. Use this Edge flag to enable or disable this behavior: From 4ab88035aaf8c804ed23b71abae6d320f33d01de Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Mar 2023 08:12:47 -0700 Subject: [PATCH 032/101] Pudding brain after daylight savings --- .../whats-new/windows-autopatch-whats-new-2023.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index b877deab2e..a0c6992fd1 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 03/10/2023 +ms.date: 03/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -24,7 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated entire article | +| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated entire article; Added support for subscription versions of Microsoft Project and Visio desktop apps. | | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview | ### March service release From f689e40a6d7ed317af2b200ab18751cf3f6251ad Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 13 Mar 2023 11:30:35 -0400 Subject: [PATCH 033/101] Update faq-md-app-guard.yml Minor formatting change --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index c4b1201693..4f5e1124a1 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -233,8 +233,7 @@ sections: - question: | Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site? answer: | - Yes. Use this Edge flag to enable or disable this behavior: - --disable-features="msWdagAutoCloseNavigatedTabs" + Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"` additionalContent: | From a88c365a86d112a93c304552935b02cebc056e11 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Mar 2023 09:37:17 -0700 Subject: [PATCH 034/101] Tweak --- .../whats-new/windows-autopatch-whats-new-2023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index a0c6992fd1..79523a8850 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -24,7 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated entire article; Added support for subscription versions of Microsoft Project and Visio desktop apps. | +| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) |
  • Added support for subscription versions of Microsoft Project and Visio desktop apps
  • Updated device eligibility criteria
  • Clarified update controls
| | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview | ### March service release From 4fdd48e9103fa24fc749d40dc0612457f3586ab0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 13 Mar 2023 13:31:34 -0400 Subject: [PATCH 035/101] Mo Changes --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- windows/client-management/quick-assist.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index f65357896a..2abfcd2135 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -19,7 +19,7 @@ ms.technology: itpro-manage # Connect to remote Azure Active Directory joined device -From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607, added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. +From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). - Starting in Windows 10/11, with 2022-09 preview update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 3da7ff8050..4e59e30993 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -78,9 +78,8 @@ Either the support staff or a user can start a Quick Assist session. ## How it works 1. Both the helper and the sharer start Quick Assist. -1. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. +1. The helper selects **Help someone**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer. 1. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session. -1. The helper is prompted to select **View Only** or **Full Control**. 1. The sharer is prompted to confirm allowing the helper to share their desktop with the helper. 1. Quick Assist starts RDP control and connects to the RDP Relay service. 1. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service. From 680a95cf74e81633bf33cbdce139706e5c5cb2b0 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 13 Mar 2023 14:48:12 -0400 Subject: [PATCH 036/101] PDE Intune Config Updates 4 --- .../configure-pde-in-intune.md | 4 +- .../pde-in-intune/intune-disable-arso.md | 53 ++++++++++---- .../intune-disable-hibernation.md | 51 +++++++++---- .../intune-disable-memory-dumps.md | 52 +++++++++---- ...tune-disable-password-connected-standby.md | 73 ++++++++++++------- .../pde-in-intune/intune-disable-wer.md | 47 ++++++++---- .../pde-in-intune/intune-enable-pde.md | 64 ++++++++++++---- 7 files changed, 246 insertions(+), 98 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 86d8b1bf3a..6beab3070b 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -1,5 +1,5 @@ --- -title: Configure Personal Data Encryption (PDE) in Intune +title: Configure Personal Data Encryption (PDE) using Intune description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune author: frankroj ms.author: frankroj @@ -15,7 +15,7 @@ ms.date: 03/10/2023 -# Configure Personal Data Encryption (PDE) policies in Intune +# Configure Personal Data Encryption (PDE) policies using Intune The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md index 87ae487482..206cc5bffd 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -1,6 +1,6 @@ --- -title: Disable ARSO in Intune -description: Disable ARSO in Intune +title: Disable Winlogon automatic restart sign-on (ARSO) for PDE using Intune +description: Disable Winlogon automatic restart sign-on (ARSO) for PDE using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -12,29 +12,33 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -# Disable Winlogon automatic restart sign-on (ARSO) in Intune +# Disable Winlogon automatic restart sign-on (ARSO) for PDE -Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). To disable ARSO using Intune, follow the below steps: +Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled. + +## Disable Winlogon automatic restart sign-on (ARSO) using Intune + +To disable ARSO using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices**. +1. In the **Home** screen, select **Devices** in the left pane. 1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -1. In the **Devices | Configuration profiles screen**, select **Create profile**. +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. -1. In the **Create profile** window: +1. In the **Create profile** window that opens: 1. Under **Platform**, select **Windows 10 and later**. 1. Under **Profile type**, select **Templates**. - 1. When the templates appears, under **Template name**, select **Administrative templates**. + 1. When the templates appear, under **Template name**, select **Administrative templates**. - 1. Select **Create**. + 1. Select **Create** to close the **Create profile** window. -1. In the **Basics** page of the **Create profile** screen: +1. The **Create profile** screen will open. In the **Basics** page: 1. Next to **Name**, enter **Disable ARSO**. @@ -44,7 +48,7 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal 1. In the **Configuration settings** page: - 1. At the top of the page, make sure **Computer Configuration** is selected. + 1. On the left pane of the page, make sure **Computer Configuration** is selected. 1. Under **Setting name**, scroll down and select **Windows Components**. @@ -64,10 +68,31 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal > [!NOTE] > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + +## Additional PDE configurations in Intune + +### Required prerequisites + +- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) + +### Security hardening recommendations + +- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) + +- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) + +- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) + +- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) + +## More information + +- [Personal Data Encryption (PDE)](../overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md index 0752525499..be8e18a1ba 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md @@ -1,6 +1,6 @@ --- -title: Disable hibernation in Intune -description: Disable hibernation in Intune +title: Disable hibernation for PDE using Intune +description: Disable hibernation for PDE using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -12,29 +12,31 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -# Disable hibernation in Intune +# Disable hibernation for PDE -Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. +Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation. -To disable hibernation using Intune: +## Disable hibernation using Intune + +To disable hibernation using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices**. +1. In the **Home** screen, select **Devices** in the left pane. 1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -1. In the **Devices | Configuration profiles screen**, select **Create profile**. +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. -1. In the **Create profile** window: +1. In the **Create profile** window that opens: 1. Under **Platform**, select **Windows 10 and later**. 1. Under **Profile type**, select **Settings catalog**. - 1. Select **Create**. + 1. Select **Create** to close the **Create profile** window. -1. In the **Basics** page of the **Create profile** screen: +1. The **Create profile** screen will open. In the **Basics** page: 1. Next to **Name**, enter **Disable Hibernation**. @@ -46,11 +48,11 @@ To disable hibernation using Intune: 1. select **Add settings**. - 1. In the **Settings picker** window: + 1. In the **Settings picker** window that opens: 1. Under **Browse by category**, scroll down and select **Power**. - 1. When the settings for the **Power** category appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. @@ -66,8 +68,29 @@ To disable hibernation using Intune: > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + +## Additional PDE configurations in Intune + +### Required prerequisites + +- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) + +- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) + +### Security hardening recommendations + +- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) + +- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) + +- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) + +## More information + +- [Personal Data Encryption (PDE)](../overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md index d16c4bf1f5..f506d7494c 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -1,6 +1,6 @@ --- -title: Disable kernel-mode crash dumps and live dumps in Intune -description: Disable kernel-mode crash dumps and live dumps in Intune +title: Disable kernel-mode crash dumps and live dumps for PDE using Intune +description: Disable kernel-mode crash dumps and live dumps for PDE using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -12,29 +12,31 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -# Disable kernel-mode crash dumps and live dumps in Intune +# Disable kernel-mode crash dumps and live dumps for PDE -Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. +Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. -To disable kernel-mode crash dumps and live dumps using Intune: +## Disable kernel-mode crash dumps and live dumps using Intune + +To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices**. +1. In the **Home** screen, select **Devices** in the left pane. 1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -1. In the **Devices | Configuration profiles screen**, select **Create profile**. +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. -1. In the **Create profile** window: +1. In the **Create profile** window that opens: 1. Under **Platform**, select **Windows 10 and later**. 1. Under **Profile type**, select **Settings catalog**. - 1. Select **Create**. + 1. Select **Create** to close the **Create profile** window. -1. In the **Basics** page of the **Create profile** screen: +1. The **Create profile** screen will open. In the **Basics** page: 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. @@ -45,11 +47,12 @@ To disable kernel-mode crash dumps and live dumps using Intune: 1. In the **Configuration settings** page: 1. Select **Add settings**. - 1. In the **Settings picker** pane: + + 1. In the **Settings picker** window that opens: 1. Under **Browse by category**, scroll down and select **Memory Dump**. - 1. When the settings for the **Memory Dump** category appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. @@ -63,8 +66,29 @@ To disable kernel-mode crash dumps and live dumps using Intune: > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + +## Additional PDE configurations in Intune + +### Required prerequisites + +- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) + +- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) + +### Security hardening recommendations + +- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) + +- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) + +- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) + +## More information + +- [Personal Data Encryption (PDE)](../overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md index ef2e52b7ad..e329d76e7d 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md @@ -1,6 +1,6 @@ --- -title: Disable allowing users to select when a password is required when resuming from connected standby in Intune -description: Disable allowing users to select when a password is required when resuming from connected standby in Intune +title: Disable allowing users to select when a password is required when resuming from connected standby for PDE using Intune +description: Disable allowing users to select when a password is required when resuming from connected standby for PDE using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -# Disable allowing users to select when a password is required when resuming from connected standby in Intune +# Disable allowing users to select when a password is required when resuming from connected standby for PDE When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: @@ -32,53 +32,55 @@ When the **Disable allowing users to select when a password is required when res Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. +## Disable allowing users to select when a password is required when resuming from connected standby using Intune + To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. In the **Home** screen, select **Devices**. +1. In the **Home** screen, select **Devices** in the left pane. -3. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -4. In the **Devices | Configuration profiles screen**, select **Create profile**. +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. -5. In the **Create profile** window: +1. In the **Create profile** window that opens: 1. Under **Platform**, select **Windows 10 and later**. - 2. Under **Profile type**, select **Settings catalog**. + 1. Under **Profile type**, select **Settings catalog**. - 3. Select **Create**. + 1. Select **Create** to close the **Create profile** window. -6. In the **Basics** page of the **Create profile** screen: +1. The **Create profile** screen will open. In the **Basics** page: 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. - 2. Next to **Description**, enter a description. + 1. Next to **Description**, enter a description. - 3. Select **Next**. + 1. Select **Next**. -7. In the **Configuration settings** page: +1. In the **Configuration settings** page: 1. Select **Add settings**. - 2. In the **Settings picker** window: + 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + 1. Under **Browse by category**, expand **Administrative Templates**. - 2. Under **Administrative Templates**, scroll down and expand **System**. + 1. Under **Administrative Templates**, scroll down and expand **System**. - 3. Under **System**, scroll down and select **Logon**. + 1. Under **System**, scroll down and select **Logon**. - 4. When the settings for the **Logon** subcategory appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - 3. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. + 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. - 4. select **Next**. + 1. select **Next**. -8. In the **Scope tags** page, configure if necessary and then select **Next**. +1. In the **Scope tags** page, configure if necessary and then select **Next**. -9. In the **Assignments** page: +1. In the **Assignments** page: 1. Under **Included groups**, select **Add groups**. @@ -86,8 +88,29 @@ To disable the policy **Disable allowing users to select when a password is requ > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 2. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - 3. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. -10. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + +## Additional PDE configurations in Intune + +### Required prerequisites + +- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) + +- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) + +### Security hardening recommendations + +- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) + +- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) + +- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) + +## More information + +- [Personal Data Encryption (PDE)](../overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md index e83bb5eb89..0c792608c3 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -1,6 +1,6 @@ --- -title: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune -description: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune +title: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE using Intune +description: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -20,21 +20,21 @@ To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices**. +1. In the **Home** screen, select **Devices** in the left pane. 1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -1. In the **Devices | Configuration profiles screen**, select **Create profile**. +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. -1. In the **Create profile** window: +1. In the **Create profile** window that opens: 1. Under **Platform**, select **Windows 10 and later**. 1. Under **Profile type**, select **Settings catalog**. - 1. Select **Create**. + 1. Select **Create** to close the **Create profile** window. -1. In the **Basics** page of the **Create profile** screen: +1. The **Create profile** screen will open. In the **Basics** page: 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. @@ -46,15 +46,15 @@ To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, 1. Select **Add settings**. - 1. In the **Settings picker** window: + 1. In the **Settings picker** window that opens: - 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + 1. Under **Browse by category**, expand **Administrative Templates**. 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. - 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. + 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it. - 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. @@ -70,8 +70,29 @@ To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + +## Additional PDE configurations in Intune + +### Required prerequisites + +- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) + +- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) + +### Security hardening recommendations + +- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) + +- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) + +- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) + +## More information + +- [Personal Data Encryption (PDE)](../overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index 77319b3e40..03b27c453f 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -1,6 +1,6 @@ --- -title: Enable Personal Data Encryption (PDE) in Intune -description: Enable Personal Data Encryption (PDE) in Intune +title: Enable Personal Data Encryption (PDE) using Intune +description: Enable Personal Data Encryption (PDE) using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -12,19 +12,26 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -# Enable Personal Data Encryption (PDE) in Intune +# Enable Personal Data Encryption (PDE) + +By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device. + +> [!NOTE] +> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. + +## Enable Personal Data Encryption (PDE) using Intune To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the **Home** screen, select **Devices**. +1. In the **Home** screen, select **Devices** in the left pane. 1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. -1. In the **Devices | Configuration profiles screen**, select **Create profile**. +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. -1. In the **Create profile** window: +1. In the **Create profile** window that opens: 1. Under **Platform**, select **Windows 10 and later**. @@ -32,9 +39,9 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. When the templates appears, under **Template name**, select **Custom**. - 1. Select **Create**. + 1. Select **Create** to close the **Create profile** window. -1. In the **Basics** page of the **Custom** screen: +1. The **Custom** screen will open. In the **Basics** page: 1. Next to **Name**, enter **Personal Data Encryption**. @@ -44,21 +51,24 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. In **Configuration settings** page: - 1. Select **Add**. + 1. Next to **OMA-URI Settings**, select **Add**. - 1. In the **Add Row** pane: + 1. In the **Add Row** window that opens: 1. Next to **Name**, enter **Personal Data Encryption**. + 1. Next to **Description**, enter a description. - 1. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**. + + 1. Next to **OMA-URI**, enter in **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**. + 1. Next to **Data type**, select **Integer**. + 1. Next to **Value**, enter in **1**. - 1. Select **Save**. + + 1. Select **Save** to close the **Add Row** window. 1. Select **Next** -1. In the **Scope tags** page, configure if necessary and then select **Next**. - 1. In the **Assignments** page: 1. Under **Included groups**, select **Add groups**. @@ -67,10 +77,32 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. 1. In **Applicability Rules**, configure if necessary and then select **Next**. 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + +## Additional PDE configurations in Intune + +### Required prerequisites + +- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) + +### Security hardening recommendations + +- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) + +- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) + +- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) + +- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) + +## More information + +- [Personal Data Encryption (PDE)](../overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) + From 51ff53f1e6ddc4e2f00b643e988860c62972ab07 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 13 Mar 2023 15:01:23 -0400 Subject: [PATCH 037/101] PDE Intune Config Updates 5 --- windows/security/TOC.yml | 14 +++++++------- .../pde-in-intune/intune-disable-arso.md | 2 ++ .../pde-in-intune/intune-disable-hibernation.md | 2 ++ .../pde-in-intune/intune-disable-memory-dumps.md | 2 ++ .../intune-disable-password-connected-standby.md | 2 ++ .../pde-in-intune/intune-disable-wer.md | 6 +++++- .../pde-in-intune/intune-enable-pde.md | 2 ++ 7 files changed, 22 insertions(+), 8 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 53b5503c72..59d12fbe52 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -163,19 +163,19 @@ href: information-protection/personal-data-encryption/faq-pde.yml - name: Configure Personal Data Encryption (PDE) in Intune items: - - name: Configure Personal Data Encryption (PDE) in Intune + - name: Configure Personal Data Encryption (PDE) using Intune href: information-protection/personal-data-encryption/configure-pde-in-intune.md - - name: Enable Personal Data Encryption (PDE) in Intune + - name: Enable Personal Data Encryption (PDE) href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md - - name: Disable Winlogon automatic restart sign-on (ARSO) + - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md - - name: Disable kernel-mode crash dumps and live dumps + - name: Disable kernel-mode crash dumps and live dumps for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md - - name: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps + - name: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md - - name: Disable hibernation + - name: Disable hibernation for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md - - name: Disable allowing users to select when a password is required when resuming from connected standby + - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md - name: Configure S/MIME for Windows href: identity-protection/configure-s-mime.md diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md index 206cc5bffd..c8f9c3b3a6 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -78,6 +78,8 @@ To disable ARSO using Intune, follow the below steps: ## Additional PDE configurations in Intune +The following PDE configurations can also be configured using Intune: + ### Required prerequisites - [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md index be8e18a1ba..6c60e17c42 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md @@ -76,6 +76,8 @@ To disable hibernation using Intune, follow the below steps: ## Additional PDE configurations in Intune +The following PDE configurations can also be configured using Intune: + ### Required prerequisites - [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md index f506d7494c..295ccb8d37 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -74,6 +74,8 @@ To disable kernel-mode crash dumps and live dumps using Intune, follow the below ## Additional PDE configurations in Intune +The following PDE configurations can also be configured using Intune: + ### Required prerequisites - [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md index e329d76e7d..aaf439cbbf 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md @@ -96,6 +96,8 @@ To disable the policy **Disable allowing users to select when a password is requ ## Additional PDE configurations in Intune +The following PDE configurations can also be configured using Intune: + ### Required prerequisites - [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md index 0c792608c3..25ee81168d 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -12,10 +12,12 @@ ms.localizationpriority: medium ms.date: 03/10/2023 --- -# Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune +# Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. +## Disable Windows Error Reporting (WER)/Disable user-mode crash dumps using Intune + To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -78,6 +80,8 @@ To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, ## Additional PDE configurations in Intune +The following PDE configurations can also be configured using Intune: + ### Required prerequisites - [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index 03b27c453f..1dcaf5dd95 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -87,6 +87,8 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: ## Additional PDE configurations in Intune +The following PDE configurations can also be configured using Intune: + ### Required prerequisites - [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) From c6caf384215fd1e1b21271d4451dbe22d6078941 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Mar 2023 12:05:19 -0700 Subject: [PATCH 038/101] Reorganization --- .openpublishing.redirection.json | 5 +++++ windows/deployment/windows-autopatch/TOC.yml | 6 +++--- .../{references => overview}/windows-autopatch-privacy.md | 4 ++-- 3 files changed, 10 insertions(+), 5 deletions(-) rename windows/deployment/windows-autopatch/{references => overview}/windows-autopatch-privacy.md (99%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 9dda6989f1..a466519b7f 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20649,6 +20649,11 @@ "source_path": "education/windows/enable-s-mode-on-surface-go-devices.md", "redirect_url": "/windows/deployment/s-mode", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy", + "redirect_document_id": true } ] } diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index cadaa5a926..ec97a45acf 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -8,6 +8,8 @@ href: overview/windows-autopatch-overview.md - name: Roles and responsibilities href: overview/windows-autopatch-roles-responsibilities.md + - name: Privacy + href: overview/windows-autopatch-privacy.md - name: FAQ href: overview/windows-autopatch-faq.yml - name: Prepare @@ -90,7 +92,7 @@ href: operate/windows-autopatch-deregister-devices.md - name: Unenroll your tenant href: operate/windows-autopatch-unenroll-tenant.md - - name: Reference + - name: References href: items: - name: Update policies @@ -102,8 +104,6 @@ href: references/windows-autopatch-microsoft-365-policies.md - name: Changes made at tenant enrollment href: references/windows-autopatch-changes-to-tenant.md - - name: Privacy - href: references/windows-autopatch-privacy.md - name: What's new href: items: diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md similarity index 99% rename from windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md rename to windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 869de01cce..340d5a2503 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 02/02/2023 +ms.date: 03/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -72,7 +72,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Enterprise application name | Usage | Permissions | | ----- | ----- | ----- | -| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.Read.Write.All
| +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.ReadWrite.All
| ### Service accounts From 31fc05f7fce18f824400c389b139f63dbb6b5754 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Mar 2023 12:10:00 -0700 Subject: [PATCH 039/101] Fixed broken links --- .../operate/windows-autopatch-maintain-environment.md | 2 +- .../operate/windows-autopatch-unenroll-tenant.md | 2 +- ...windows-autopatch-windows-quality-update-reports-overview.md | 2 +- .../windows-autopatch/overview/windows-autopatch-overview.md | 2 +- .../overview/windows-autopatch-roles-responsibilities.md | 2 +- .../prepare/windows-autopatch-prerequisites.md | 2 +- .../whats-new/windows-autopatch-whats-new-2022.md | 2 +- .../whats-new/windows-autopatch-whats-new-2023.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 72d902e425..b67ec6d208 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -37,7 +37,7 @@ Windows Autopatch deploys, manages and maintains all configurations related to t The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**. > [!IMPORTANT] -> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal. +> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../overview/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal. The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 73e870645b..8a69ef3f78 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -32,7 +32,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | -| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). | +| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | | Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). | ## Your responsibilities after unenrolling your tenant diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md index c55689a4ea..c3ea51727d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md @@ -39,7 +39,7 @@ Users with the following permissions can access the reports: ## About data latency -The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours. +The data source for these reports is the [Windows diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours. ## Windows quality update statuses diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 9698a98009..35df585aa1 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -63,7 +63,7 @@ Microsoft remains committed to the security of your data and the [accessibility] | Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
  • [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
  • [Configure your network](../prepare/windows-autopatch-configure-network.md)
  • [Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)
  • [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
| | Deploy | Once you've enrolled your tenant, this section instructs you to:
  • [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
  • [Register your devices](../deploy/windows-autopatch-register-devices.md)
| | Operate | This section includes the following information about your day-to-day life with the service:
  • [Update management](../operate/windows-autopatch-update-management.md)
  • [Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)
  • [Submit a support request](../operate/windows-autopatch-support-request.md)
  • [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
-| References | This section includes the following articles:
  • [Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)
  • [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
  • [Privacy](../references/windows-autopatch-privacy.md)
  • [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
| +| References | This section includes the following articles:
  • [Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)
  • [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)
  • [Privacy](../overview/windows-autopatch-privacy.md)
  • [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
| ### Have feedback or would like to start a discussion? diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 9092acc2af..d185fe21d6 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -25,7 +25,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | Task | Your responsibility | Windows Autopatch | | ----- | :-----: | :-----: | | Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: | -| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: | +| [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: | | Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | | Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | | Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 8d449d67e8..c2f86d2ca3 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -22,7 +22,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

  • For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
  • For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
| | Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).

Other device management prerequisites include:

  • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
  • Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
  • Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
  • Devices must be connected to the internet.
  • Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.

See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.

For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).

| -| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | +| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). | ## More about licenses diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index 93303c80c3..dc5d2ccde2 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -43,7 +43,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Privacy](../references/windows-autopatch-privacy.md) | Updated data center locations
  • [MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) | +| [Privacy](../overview/windows-autopatch-privacy.md) | Updated data center locations
    • [MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated multiple sections because of the OMA-URI to Intune Settings Catalog policy migration
      • [MC443898](https://admin.microsoft.com/adminportal/home#/MessageCenter) | | [Configure your network](../prepare/windows-autopatch-configure-network.md) | Added information on Delivery Optimization | | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | 32 and 64-bit versions are supported | diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 79523a8850..74be47a517 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -44,7 +44,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) | | [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) | | [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | -| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section | +| [Privacy](../overview/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] | | [Register your devices](../deploy/windows-autopatch-register-devices.md) |
        • Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section
        • Added more information about assigning less-privileged user accounts
        | From fcb9f92b78c90819a127348fcbbc3e76fba35bee Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 13 Mar 2023 15:11:49 -0400 Subject: [PATCH 040/101] PDE Intune Config Updates 6 --- windows/security/TOC.yml | 2 +- .../configure-pde-in-intune.md | 4 ++-- .../personal-data-encryption/faq-pde.yml | 2 +- .../includes/pde-description.md | 4 ++-- .../personal-data-encryption/overview-pde.md | 4 ++-- .../pde-in-intune/intune-disable-arso.md | 4 ++-- .../pde-in-intune/intune-disable-hibernation.md | 4 ++-- .../pde-in-intune/intune-disable-memory-dumps.md | 4 ++-- .../intune-disable-password-connected-standby.md | 4 ++-- .../pde-in-intune/intune-disable-wer.md | 10 +++++----- .../pde-in-intune/intune-enable-pde.md | 4 ++-- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 59d12fbe52..858bb656b0 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -171,7 +171,7 @@ href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md - name: Disable kernel-mode crash dumps and live dumps for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md - - name: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE + - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md - name: Disable hibernation for PDE href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 6beab3070b..3319c6e6d2 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- @@ -29,7 +29,7 @@ The various required and recommended policies needed for Personal Data Encryptio 1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md) -1. [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](pde-in-intune/intune-disable-wer.md) +1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md) 1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md) diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml index c56effe008..01ba4b7b8e 100644 --- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml +++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml @@ -11,7 +11,7 @@ metadata: ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium - ms.date: 12/13/2022 + ms.date: 03/13/2023 # Max 5963468 OS 32516487 # Max 6946251 diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md index 2eb0fa2a66..1d6d83ff6c 100644 --- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md +++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md @@ -6,11 +6,11 @@ author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda manager: aaroncz -ms.topic: how-to +ms.topic: include ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 12/13/2022 +ms.date: 03/13/2023 --- diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index 10b6a7e163..1d9f7d5bd5 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- @@ -48,7 +48,7 @@ ms.date: 03/10/2023 - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](pde-in-intune/intune-disable-wer.md). + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md). - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md index c8f9c3b3a6..dcf750c606 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- # Disable Winlogon automatic restart sign-on (ARSO) for PDE @@ -88,7 +88,7 @@ The following PDE configurations can also be configured using Intune: - [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md index 6c60e17c42..ae447a265b 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- # Disable hibernation for PDE @@ -88,7 +88,7 @@ The following PDE configurations can also be configured using Intune: - [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md index 295ccb8d37..7bd550c37b 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- # Disable kernel-mode crash dumps and live dumps for PDE @@ -84,7 +84,7 @@ The following PDE configurations can also be configured using Intune: ### Security hardening recommendations -- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md index aaf439cbbf..373a303a3c 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- # Disable allowing users to select when a password is required when resuming from connected standby for PDE @@ -108,7 +108,7 @@ The following PDE configurations can also be configured using Intune: - [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md index 25ee81168d..673ef17eee 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -1,6 +1,6 @@ --- -title: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE using Intune -description: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE using Intune +title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE using Intune +description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE using Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -9,14 +9,14 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- -# Disable Windows Error Reporting (WER)/Disable user-mode crash dumps for PDE +# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. -## Disable Windows Error Reporting (WER)/Disable user-mode crash dumps using Intune +## Disable Windows Error Reporting (WER)/user-mode crash dumps using Intune To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index 1dcaf5dd95..0122d66671 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 03/10/2023 +ms.date: 03/13/2023 --- # Enable Personal Data Encryption (PDE) @@ -97,7 +97,7 @@ The following PDE configurations can also be configured using Intune: - [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) -- [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) From 42d994f2c03e2f975f91616c6d30dce4fdd19a49 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Mar 2023 12:17:41 -0700 Subject: [PATCH 041/101] Link --- .../windows-autopatch/overview/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 340d5a2503..3b9a3b050f 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -77,7 +77,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr ### Service accounts > [!IMPORTANT] -> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal. +> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal. Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts. From 50167e6013db9e3d50083bba253a89b935fd7aa5 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 13 Mar 2023 15:37:43 -0400 Subject: [PATCH 042/101] PDE Intune Config Updates 7 --- windows/security/TOC.yml | 2 +- .../personal-data-encryption/configure-pde-in-intune.md | 4 ++-- .../pde-in-intune/intune-disable-arso.md | 6 +++--- .../pde-in-intune/intune-disable-hibernation.md | 6 +++--- .../pde-in-intune/intune-disable-memory-dumps.md | 6 +++--- .../intune-disable-password-connected-standby.md | 6 +++--- .../pde-in-intune/intune-disable-wer.md | 6 +++--- .../pde-in-intune/intune-enable-pde.md | 6 +++--- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 858bb656b0..38c4f1639f 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -163,7 +163,7 @@ href: information-protection/personal-data-encryption/faq-pde.yml - name: Configure Personal Data Encryption (PDE) in Intune items: - - name: Configure Personal Data Encryption (PDE) using Intune + - name: Configure Personal Data Encryption (PDE) in Intune href: information-protection/personal-data-encryption/configure-pde-in-intune.md - name: Enable Personal Data Encryption (PDE) href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 3319c6e6d2..3aa684f0c2 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -1,5 +1,5 @@ --- -title: Configure Personal Data Encryption (PDE) using Intune +title: Configure Personal Data Encryption (PDE) in Intune description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune author: frankroj ms.author: frankroj @@ -15,7 +15,7 @@ ms.date: 03/13/2023 -# Configure Personal Data Encryption (PDE) policies using Intune +# Configure Personal Data Encryption (PDE) policies in Intune The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md index dcf750c606..5e89d8e4d3 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -1,6 +1,6 @@ --- -title: Disable Winlogon automatic restart sign-on (ARSO) for PDE using Intune -description: Disable Winlogon automatic restart sign-on (ARSO) for PDE using Intune +title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune +description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -16,7 +16,7 @@ ms.date: 03/13/2023 Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled. -## Disable Winlogon automatic restart sign-on (ARSO) using Intune +## Disable Winlogon automatic restart sign-on (ARSO) in Intune To disable ARSO using Intune, follow the below steps: diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md index ae447a265b..19a5b9498e 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md @@ -1,6 +1,6 @@ --- -title: Disable hibernation for PDE using Intune -description: Disable hibernation for PDE using Intune +title: Disable hibernation for PDE in Intune +description: Disable hibernation for PDE in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -16,7 +16,7 @@ ms.date: 03/13/2023 Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation. -## Disable hibernation using Intune +## Disable hibernation in Intune To disable hibernation using Intune, follow the below steps: diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md index 7bd550c37b..b9ab18802e 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -1,6 +1,6 @@ --- -title: Disable kernel-mode crash dumps and live dumps for PDE using Intune -description: Disable kernel-mode crash dumps and live dumps for PDE using Intune +title: Disable kernel-mode crash dumps and live dumps for PDE in Intune +description: Disable kernel-mode crash dumps and live dumps for PDE in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -16,7 +16,7 @@ ms.date: 03/13/2023 Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. -## Disable kernel-mode crash dumps and live dumps using Intune +## Disable kernel-mode crash dumps and live dumps in Intune To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md index 373a303a3c..d61d11a19c 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md @@ -1,6 +1,6 @@ --- -title: Disable allowing users to select when a password is required when resuming from connected standby for PDE using Intune -description: Disable allowing users to select when a password is required when resuming from connected standby for PDE using Intune +title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune +description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -32,7 +32,7 @@ When the **Disable allowing users to select when a password is required when res Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. -## Disable allowing users to select when a password is required when resuming from connected standby using Intune +## Disable allowing users to select when a password is required when resuming from connected standby in Intune To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md index 673ef17eee..b9c2cff0ae 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -1,6 +1,6 @@ --- -title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE using Intune -description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE using Intune +title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune +description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -16,7 +16,7 @@ ms.date: 03/13/2023 Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. -## Disable Windows Error Reporting (WER)/user-mode crash dumps using Intune +## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index 0122d66671..0052247b0b 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -1,6 +1,6 @@ --- -title: Enable Personal Data Encryption (PDE) using Intune -description: Enable Personal Data Encryption (PDE) using Intune +title: Enable Personal Data Encryption (PDE) in Intune +description: Enable Personal Data Encryption (PDE) in Intune author: frankroj ms.author: frankroj ms.reviewer: rhonnegowda @@ -19,7 +19,7 @@ By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. -## Enable Personal Data Encryption (PDE) using Intune +## Enable Personal Data Encryption (PDE) in Intune To enable Personal Data Encryption (PDE) using Intune, follow the below steps: From 93bb0369d823fc73997d4076493cb5f05184965f Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Mon, 13 Mar 2023 14:36:46 -0600 Subject: [PATCH 043/101] Update intune-disable-arso.md Lines 59 and 61: Add punctuation to the end of the sentence. --- .../pde-in-intune/intune-disable-arso.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md index 5e89d8e4d3..9781fb82d7 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -56,9 +56,9 @@ To disable ARSO using Intune, follow the below steps: 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. - 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**. - 1. Select **Next** + 1. Select **Next**. 1. In the **Scope tags** page, configure if necessary and then select **Next**. From 4698fdcbd59ea2eb917ea1135673e3fd7aac97b0 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Mon, 13 Mar 2023 14:41:07 -0600 Subject: [PATCH 044/101] Update windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md Line 63: Capitalize "Select." --- .../pde-in-intune/intune-disable-wer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md index b9c2cff0ae..f4a795887a 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -60,7 +60,7 @@ To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. - 1. select **Next**. + 1. Select **Next**. 1. In the **Scope tags** page, configure if necessary and then select **Next**. From fbc855f946175a7168bfd40790f9ba85547fee74 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Mar 2023 14:07:04 -0700 Subject: [PATCH 045/101] :custard: :brain: --- .../whats-new/windows-autopatch-whats-new-2023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 74be47a517..abee39860b 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -25,7 +25,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) |
        • Added support for subscription versions of Microsoft Project and Visio desktop apps
        • Updated device eligibility criteria
        • Clarified update controls
        | -| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview | +| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview
      • [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)
        • | ### March service release From 11f775626f64b39b8651e9b89c14c47cf7d4f1ab Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 13 Mar 2023 14:31:08 -0700 Subject: [PATCH 046/101] Update .acrolinx-config.edn --- .acrolinx-config.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 4adf09ac5a..e680e14a80 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -1,4 +1,4 @@ -{:allowed-branchname-matches ["main"] +{:allowed-branchname-matches ["main" "release-.*"] :allowed-filename-matches ["windows/"] :targets From 7667e3420b85b4dabad3f787961267665b318609 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 13 Mar 2023 14:43:55 -0700 Subject: [PATCH 047/101] tweak --- windows/deployment/do/mcc-isp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index c7186e2d85..11f579c603 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -720,7 +720,7 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an > > :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected."::: -Your Ubuntu VM is now ready to [Install MCC](#install-mcc). +Your Ubuntu VM is now ready to install MCC. ### IoT Edge runtime From d0f52a6afb42ac0ac78abc594e8fd81e57809dee Mon Sep 17 00:00:00 2001 From: Amy Zhou Date: Mon, 13 Mar 2023 17:20:11 -0700 Subject: [PATCH 048/101] add new screenshot --- .../deployment/do/images/mcc-isp-migrate.png | Bin 0 -> 35721 bytes .../deployment/do/images/mcc-isp-migration.png | Bin 35234 -> 0 bytes windows/deployment/do/mcc-isp.md | 11 ++++++----- 3 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 windows/deployment/do/images/mcc-isp-migrate.png delete mode 100644 windows/deployment/do/images/mcc-isp-migration.png diff --git a/windows/deployment/do/images/mcc-isp-migrate.png b/windows/deployment/do/images/mcc-isp-migrate.png new file mode 100644 index 0000000000000000000000000000000000000000..02b9afd16c384b807c452dd9554fa4330c897f16 GIT binary patch literal 35721 zcmd42cT|&Kw=RkW6&orlA_6J`QbQ4tE}|eHz1JW`q<2C~qM)FH(wmehy@w8=1w~2- z1f;hFDIq|B&_aL^a`W5Yx5pXhoPEyNcZ~bT{Uc+I^^Ux2t#_6A%x6AxebU#}xOD#Z zc_t>NOPVj988R`Q9Ao?>&YfXAaWSADF^Us@h8jMY(bEc}?5xFY}gov_Jad&k5S&8_)N)i}s@9eXLr+9_+3&U5qT&4x02gDbz+FIpsg zG_>V@#cXhwZJytFdfxW4qS(2#-?Ro7z){KK-BaAF7!Db${=K$|gIrIS5_-`}1e?=n#Ou>cOt%{5-vt0m4+cdERpue; zePPsLBU#M|m*IqpGLBp4!i$SEJ~6owWDvxz==`|_fx}@~;2yzov|U$9^&n6=w6GS6 z_wyaoC=Y=77L16sn45YCx$ne?4~c5GcqsiakU8$U7#rszJuJGKlF1>{+A4}@^Rx(X zY0V7yJSjulFPb92+>)}RW*-gfWZSH^w(bwrZF^&^DAU_})2px_3i&RtzB~%U>vBvj zd`*wvyVz?3EH)z{)Ddny7f&(WJtOtdfmYz&vc8w_(_BX3O?I-^IGY>(*N(D)tb35P zuR_4?+!VRgL-O%9Y{`TJveW2q>z|WJMiB8|&o-biHm@7&Lkn9TZ#TLh{pmZ$r#-b3 zR|{1V-CG(k2h8w_N(*Rpe6DkyeeFc>l(L@A-#e&b)uihIrB3mqWe&y;YabWBPuB4r zH|mgl{77UyU^VY`2YGw5CpsZ?GXw$VFWlm3(e?}yFU9$>qAoS`?~y#2n0$n|&0#d@ z;QgN(<=tGqJ|8&DYJ|LI`h9(V#YFdKNcvNBh6<#>Ku%hR*Z7lW{}gIKpemKT;O3jc zvCg@Y5)D{S@esNz-?)9!1xfARjyeDI3=C>|C|i~=mD}&1d!VB}b<cCG2q{Pc-&CS`VvwQXm}|Aoq%jrmjoaHtQAM^t&d`f z_zK(B0a;CoPHCRg){5_M7-B)79}W?k?mL)v(H2W!j%pgH8y;wWRoiP(_dxB7A(&9Mm%4-!>jFDK#e@fRFE+Lj{GwU)xt}#h~-@b5P}wP z8M2<)chR{4X6zTW0k6F961Af-E8q)uRg59K#Q+(lwC!=db_0E zu<+k{=3*eMU&NzKyMlDT$~%6&?0G(~43W1xqkYFe=O@SzE1GsM2L};B_`@YYkA=W8 zncqoOC&GGYikB0vgJA17?|$)1?!>epC!ClR&)F^P{zCAQ8-UZ zv!^zijaPwhKO6OUjcus@z#<@A@$UFI*XuJUnZ$jha;`7VaaN=>8~?Seb4NT%d-dVi zC@{VEONm483wZ1dA4ra4Gw+e@@B@mz6RpslZBgrJd<6s$-VOm8Wx_5{=0^oL{ZmcTSnM?TqiiUr4PN%lp3 zaY5k=V{jO)rd$It#pz~Y)%?s|AL(^E=5ZZtgV~)tB)6t3)~Zcgnc8j}8)dh**|Cu} zb4s)Xg-s%7B53p0gdEYCXy63V^Ts zzE*?ctMK|TTRN2;m9=RgNAxSNme~F^B#ZwvZHa$M3V&I*b^)1^!k$~*qia>>QtDqG zR628$OCwd zSbYT)w_d$J^7p=dsL~vMEo3vq!v4^1^lkbxQfdng4mdfwelAdlV>-Q|BFtg(>|8T? zv9)k_7I~R0>rnuaI>q$xij|#`{|@27Kjx=`r}% z@Nw4B(FELDi`|QJr;cX$ZnijNy3FE=3&8h@P#v3;**yF=IPpSNN&Xh>C4X&ErlZbx z<=P76qjv~CtIdF|zj3GnvBwrA*+`=)WACLijUn7OGLvr@dnP)+jNuaqGgLP4)TvKE zG}&5?VHd)ZY0etlygUBS+CmG@?~nKLMVB4>w}`6QsM4wVQlU8GpMjRf4NJjR*^NF` zhl6^hZ%5n_mV5QhCi>nTY8!5`lR#18ZteY@ucjVyyB^MnQh<^XGrz-tycw-yeCFGc zQp8Yk_&huIXFkKueBin8l{40F#=Q}TXs;C@U1mMZ6E=bCiezI2n_qg@2vg$xZI2p! zX>8BK9b36c_M_OS;`OXT-AG*0Ozen+KD0uVe+dgHKZ3JIOH+4bZCKuGp-K;|L6Akg6;)rfgY`!;%Q)^G%}dSLyfcIHUm z`ve@+VvPuJCr$b~dZk9EmL#4WKI=u-q^k%krIym>*XRxXK1F9pzSDoa4Yt}iqPIv9 zA1O)4RM51cMJ7G_BvYUH*6A@;AmEEzJ!;x7!FTRZ!)dcSR*N2?lJZkSK2J5(XX7QB zOq^j&ox$2v|3Q4$X6^u~2oESq{?(<9@FSMo8I<`66V zd_W0(bSFaZAl%;5Dtu#&wI}peJ?sVrM6Z8k9WUuXzUV;ec2YiK`bz{`Ew&jiWDtVy}Hm|K zd1@4lRyBpwz<+Y)N!|+~JW1L8k~QB3B=t1!)t8X+s7nDw zRh=GI4TkbC5X{VGYT-^I#;3+5Idk`!C3m1k=j$R0ckud}2?JcVW_O}s6^CyU6?6AO zk9{5vz@$T)fV;p%I+zqg0@>HiLy=$Ad>&dGzVp*RzWphT8^0GRD-J8%h1Al;VCgXYGmiux$d2@z-?i(#; z+>kzw+qqf3;|(*ExCdhK0kX0v3tZ@eenaaxY`v|o_^#-xxDs(yA#dGb$xhk-UG32V zpKr{Lz5W^Kh9XB{)B|vX9Lpb4-I(5f_u@~J)dw3y_9P(ASPXmC4SAP^9yFXV6tu%N zWN7AL^U#AUN-I#~H_C95zlrs0`~`&(pVzm`XN^iz(ieOO22WE|4{RX^P7F6-%8lts zi~YGWSe(a_(NgCn_Ka)Mf9J-{O+?z|)j>TP9J2Rl(&5KBwKG}cLd@hSn{ zX~^0|ZtMpA&U9;r$>!$Xpqj7QIJtUtRUM&E9<|{4QUvZ-5@XG{MJ>C4G+uh1Qi!rB z-o#${TD%{((p}cFdx7w2F+1c}($yj`xoQ(quKZ(kq_kxC4yj~NLhhwuIei%iwkIh0 z(!R|DQ&psP8>x%SHFYR&_U|%e43xTF=`E z{8hRcTKCJVHzOCD-!(y|`cn3#BzNC-MqgW)B1QSG`+e^(q< zR4Cl*g>BfYlP8=#Ut~)-X*g%uSnb;ytxJkV>-h6L^uwjF!+LwxxyE}+#-j6o2J4;f zp8NgMpGPEacza_;RyJN-K=x;-D==ggC6K>`PR%f@*x_7N`&kPqFFeJx##xmV-m>oW zgMdkN_^MpcvjD(~EPO)a6+j|p?@B`2sLzA#J9LI>_n*nR{E<$8sOpK|CjV^0jF2~8 zYHL6IYbE3Yda19WGzHjSiDuJ5p(<>k-mo{e2hZ@Dz9Glu-6bW)4;OCtC7-vvmayBF z0NwWqZkd5cP+A^xnvL{mMswmL13SNd>H}xl+L32-tqNXIbTJFmPt(4Ed-k~R_C{TB zZE#M|PT!xp(Ld8AJW&<|XJ+FkRvw3Yo!#63@R~&nWpD6lI}0cG2X~1}raUD9p#TnboTD`(`6oA-IY)C$-iq(|5Jl*Q;r~#aD^E zE46)0LC&^Zb8gAL%v9<1J8&x}rE&T73eT;F+va#W6MAO&TjtQ`<4cTV16)5nj7*maMWyH)YKYf;r}>6hGEVINocfC&+Uk48R}Bg5Jsr%TL0AGP(;>jv$`pH#oDLN z`pxR6fUE#I$SY}zf*5|brRQxAN~!hepN0L*rINa#vMC6d4d3|V^tQ5@Eu@AV%hXN^ z4>hudV=cGC_%4^BW40_5Xbp(Pl$l4aoiM?ld%JhGFOk zPDoax6WPJ?sQa;iQW7O!plx#XxP7Qu<<%-4D^J|@Nd4xOIWLt=`T1;8Rfg#geZkRkL5rdFKeu&}&sZI&d8;z71Q2HcPEMu|ucMP)iqK|UO%e$gO6$+DA7i+0TwGOTw z)NPmZ+$f09v-EDFIzHf~s5{nyJo?kVjpvE%S6VrT{f_64mD{dVwDu-8dJNI+<~|gn z@(#FjdO~{r(nJiXGwX6-(e}=vgE0T^Hy>->Op^>>rVM73v=+SNt9nur>krfYOzCGM zjcjcRoJR+Qw*ltISJN(e3}kHg{WT{&NKE$7`$p;S7CX0!uS*@-?jQb?{)@_pRe1cq zVlI#m`NR_D+kmddgL>mkA`bVw&hXLdOcB`AvItRZ0;aV1vgE7oo|z(G7-z@}$=vST ze6kI%c3WVfJGyn{wfHQ=DDrTumk+oRNCGJk{4MP13G^4^+(nve;o4F1`P*lPd_y&I zMGzQ~@n}xdU7B+3xr?pEXfAhWcte>vyxCyC&B!$5Kr}{D@5z z9e*+H;WQ!)^UW`_eI4!(rhFTK7^l<*qHRu1KOn5_s0Ih2vxfZ0okNQvUfG#+#2Lyn zU1ZdV#6e{PD+pPns|ZLjSt1VpIbg;DRWrb?-2$)*wGdt+;vDX>z#s3Tj#9yl;>G3(5cg_3d2JM$2T+g z3`SLWkmf@??wi_uPla?-Yx>y55Y4GgL<;mS|I`TfEYsVS`vtd&9S=r*ka=E*;hClq zfQL4ND%bty1s3NsJiVb;p2^LtIm-<%^I#_qhN7$e#(zrcfzR3Q*O7V)GJYXnHriRl z)2kWVjr#J6-kmEySNN=!T@k0kU*zRZ6X>F|PgM-Uh z(0fPeBKu{Qgvi(QUyX5c302z~Bo zE)^*B(F?J6GI0{{h*B$z4HQwfx%MMaBrbAHVR25hbg`_3R`op~aW(OR<2#V-tpLT< z<3@1w6ey}WVtXa=`%AB=(6W7Yr&Vz66HHUBn&-pj>?3hGk4_MN>m7GP|KZt0MNDUW zNN}lRGJ-2#s@0X$(NIjwA5$8i9tfFY<8;J(#A+Q*>AlDCBrYvq$n#^krM`iK6$ln` zc5AWO#^JWl#@nz}$K^u>Eac*n0d>D#A#Vj9k&CoGT%_%dohg>&s?^SUnpL;Ph(IhT zj`|tge4%X?B_bygq|&Ez$H38Y;5v@6mM(K|TR#V1W^$0KHND+eevZsqwXd>tlBr$f zI?+azsZWd*O5*ktNF8=M@u8dPt;N^&+fQ6h$)Y~U;smE{&xtMh1GH>KL}vq{*9c=! zRSZFwib;GruIh~bRMbFfO3?-J{^#8W>|YsS zG0ym^e?_mmZZo3SA5XlKW)xRWopfUqchCGg-mP_JEH=_?rgGg;LJm21+gq?Q3}$jl;}?OH&D6 zsUa~glOf3G>sE{&V$csch{2Mi(ZUNSo7s=oU3{Q7pB}V3<2f5d5~cdlnp+bT{0f^H zO0*$NO__Q^O5`)!E~VE1*!*0_jawFC`c*o&PzpTcM-wLh3@q-hmg;-KX!d1OLc?@u ztzTA8@%>f+SiNlvWc#>8>NmW{fCRR5th($zO4N;a5|ytV;}|36(@m7Hip8`k*~KCq zGnB9f7auL1u-L&){Hy02M}M9@ocM4KXbEGL$f3bz@3q9@_u39E)N6o8Bb~y{%Azl z7oM)JyB~^pP8okQeS~8zm3yw+CPDiB9477`{YWG8!Gy=wc<$tMX%qnRykaUZh31NE zM&hi5OONoA9+goH>EZiBE_3#so+;=IwUwQFayr<8fYa!!1Rf!wGt&n}vbwAW3*$`= zJQksoIOq`+>75aLU7gX+z0QX4o?%_u#)a+QH5w?C0f$|%aW>?*!;s`$ zue6gFScUp_yv-79>57-a9r5g!jlecPw``-O@QZBOiO?z{ELzviR`0EtQ~ZeYk;rBh z)C|A_A>XL+EN$g^tfLEoQ)?$SHDF=7fv+oM12FPd@Tq-Lut)6Qq+vxm00Q1cDk6<+ zgYUsv)rf#pjLbAzWX5)ug$#+L_ZbCvTK}OPmrSw0=8#9X8UYyc3=>~+fLWXaeaSHx z4>TDhj>u@7ek1X?27eQgubHRK>}LiBe0{QEF1Omcb$UMc51vQ0d`EV%M&sMn+(A6g zLUFwE-g55e)6GrS1&RcL$={qKW8=l>l~efCL`Li1i?%%*3TrwUyRqq*d_(TQ>$Ayp z6Jz-dRjV-VTF9_j6hs)=Vif{Y(fYc*nnV5&2Q0lI&@Vq#n=5asOl{E6q>ryRyB4+A z?08-c$hn(NqILlHZQ+U(TyB?%M%bFc&Y~Q6=#{O)_B8iTmapY9jk~CJzoqFDoha@M zLcNqSZyo$td;c_JS66RTu`ec@wJHzIiZ#}a9scgY;S!X;FG1`4rx`kzeo;%irJP^Y zc?^y->GCtV8axUA5GnF&<}2VCbF)s}b}v^!-(R908U-9?Ut-2zz=#(v=1kNc7(b!o zAP8kwu(L>_l~~I6vbk-s_)b`|g9+1YW=JOwgjOSfF7bKo6iaLN>X}s_$`ZYMEw-mT zJvEjckICZT4298p6I0F^m+d9u82hItB8$;5woywLGDdVG2W>lA1V&obFNoD>+Xll? z<^&I~MbYbE=U&MGU$$CsOv4uAh@|Cf;coo1o=<{%G5;agJ!Du>M*aU_>HhD^-hcJt z*)@|sKc<=)PM#w1fwz_Qy891KQgiGo=2~?W1n5KhCA=`p}8S%fESA!rJ=0=!i91S5#kG@du_;HCMZp-Zs80y8i6! z1&|_ndQgpZ*g}p;ij5S^#FX=~$a9|;+TX_^lOeE4cW-aOuj(VSs0p1m3$ z=CN@sz2u07BKfu*x9!dFp65O!dMfqrSDPnqCzF(T^_13?H{=Kqgx$?Erp$YP&gwtj zS2ptuJ5=yp@mX@ZvnqcCMp#;QQ|1(=i=M27pT#7HzC4wcGhcMM3> zvjDoV^S7-meK%ObC~ohYgHuVS{_nZ{1(S&*ySXvNP0<@4OMNODXQA>2ub5Z6ZTLY- zG(F$1!5mQw8M5i%dQA-2ZtIrb;t9JY4l}!Q6-9tD-e$?<2`fcxd5By<-^x&VY#~Cs zMKbH$0noqB47aFx^4-nY!^lyMwrjZLcFuRM?ZV}Dfy^ze zIq=2EC1a{CFx5;po^%77MI1e`I6KhvXpwDacI7lSq~-X^Sh@%8ox<_<6|w+z&F?vP z3s-T&1{(FydAzhbpQxBV;Pq5d7bVv_%5$4t!hFo7Le-K0($O5&)LgW=*u2c!eB** zsS_D(Eeq9;s9-pZICO=UJx=nY9l~)mXABkSTt%LZ*h-CR6tD-gHg&u1R;8uJj}Dtt zci+LA7G{u_# z?w@Q3F&_z4ZSbfH+i~vL?nfGRkYzFs!jD;&s;K2_$i&X1QQ(}z*sJ3W`E@|UfS19r z1yyQefs3i@cu4iP~vS^qa6`E4IIe(%%Lh!KTOO-Gv&B+W*m{BLSO}Dm*T_fW`pqnBUY7z z2VMso)iW+<_8{cE(mfm;wi<9S{3gWuS;kuMA>0rxJ#Yi0^pp5jI(8@QCoU0w+uK$S zz1dJ@%=2t;=No>4_MO^=RkjK`m~;8;l{gJps@qYVV8!f(Ouwp`y0PJvQKuWqrR)_} zbx=3IetA7wKlB$^ntMBTK%tvzzPv&X%a!WZSgb0vpjLf{Vdv(+oH$Zv3#8A7nKc$N zOQcj%vd7_MwPqS>b{~4m-2i&_yajb&$-@k%To=n0%1J`@f@hnjZ;2S`vGu{DGF;Xu z#-9S-n}gRyWJ&w=u>hECY^$lMp-`*M|;z?!g~DVtPTShI}* z@jMb*2C2i7&3;n*y^P`y>LjVwv7E%M4Z(n!Q|;z4!Vcv%22B`4U~L{x)1sPlVSxHn z1rk$O$SF%RDOntW((lUJa)*IJFsa9?{xViaWqX%{|Gqo$olITIfb)?R3B7VlrMn9m zbW~Wm?P966P03%q+$`Z#>1ZGihhw~Dz8>78`F25y0mw+d`7wPPorh5btQ%Dy!i<~i zMi7RSnoP@_Da?U9+R@2^*CIVbm}CSXr=Y3!Idn~hZ*oR(=ncn&d8RQsS zh%QIMM}Z_7!99V~Xyb1WWMmSxgywa90_rJ;0Ywl1rG)|bjcN97D|990Lk*m^m-&F* z|B~L^&~+OxYK$Ve)enD+tdR^fpc?QffGHX7OEh14n2mhSp_*64vCMtwq0jbealp-~ zR<<6VOs`yjj*ns|{*0S0X1tL57yFwLzMI!fIe0)TrJ0rQXRJV$j4ZI%6^!~7tFZDILe9il?$HZr}TKN^qf zGw`9^agwXEnhVZ0(KK?ejx9LI7+OplrU)WL=5P5(ksGw;Lj%FVRm$)rc$i?x0J$+J z7Q}QbmSO$BUCwJ|wWQ6IB1cXH7}Elb!LJeA`(rAl$R8{_B_9`BSVeEVAhL?waPJ#` z7pShZ7Bb2*$YaaC*4T$MCkQX)xQVg)4rkn{DF%InpkPo6<8m8$s9JQ;RDQ;zR7 z9t(cH+|`!635c|^u^r)ICC+y?_eHrDLo(@Ros=ZnoHEYoG`m%L)D7#G&x#G>s*>Ja z*FS;#g8O9ihjuH8W0~^VNNfHa@LUjyIz>yI&l{ge?n9c-KO!!Ljv;M0y*@{M2I5pa=146AS|79cJ^Ri1$V-(tc%N>(7ZQ8 zIc%8eg$8wyA35MhPLMXMb6LousFZiX_-|aOVw|=@B4vWK=td{YPaiN$;vxnNB&)g;1?kr z6<25{j09O~EaX2vBy*5X=jnCFw7qK;(b>v@sKn2-9$w$Q81 zdXI}zamp6E7_|2RR{*9I2b|&U^x9Hv$!LxM7>l3XAiJ08_YlerA zZGEKDmoivskO_?$H^Jk-nU9~f63Dzl(Ms~Nm4{15mj%Ryz#^-OpSgVL4ZaD3BtLL? z>w+ob@ZEufylFH%cOtZ3DV;^EBv9|PIzIDUZ3)ulXTuucX-PMZjVFL9y=%W9=wKau)ifxCBtl1p1ah1*$YHw7x9D=&$R;lyPTQSBiI2=ctKlEI8FlT*fmA_HZJ^5pGVPjA(PdcKL0#=iXSYSl8jMY-2ze2 zh}oJpA=q0(+AT}xBAt-g=AU)k%1}k>eds|*i`mpQHm;XnDfev#j?e?i*0|6oJPY}I zxt#hq_QSxXOsJv2YlZM3cFNO+pcS^Wv~rWp^Ik%BIxA5j8 zq@6Y{mK|k~UM18tr|-VupMdL7c-D^I-fRxM#_~YGeq5KVP+-&WA#fZ7%K-*QMK(`Zx z7dm}d?~0usOZ($5_=myhboL`;KVMD=7(7Crv6WWq)v)_gHIdrAwRI~UuHA30;*`Ob$k`~Hej zv5$Oti4o-qOA2Qa(^6%MIm-_CC+AV(?!OsH%zqUR`tOYRzYHY(|KvsQcH2(HS!Z9H z==@jM@4-&RKtKeS;EuholcjKezFD5D1>D_T_uCI2l-58_$jY6YF6L5<9K+X@0A3Fh zZ9Wg%1EEyy5WmC+ecBqpQe$`ztXfq*O8$XUxxfQgxv%$!sb~iGY!6zWjR_zb7FSq` zDDf_l-DO)$Z{G~i#41tlnc$oMk&XaRFov~*;q(1*s9%9#!Nfo z7)C{6yT6^0^46CRoj<=)km2ewIlre7Vo|5?Ca8JY+xTpud~U@`S<|f7>K_Zz<%X5M zpdw%tmCtDYeJ2cp_AT~}TztSj%%Us9xwXz{xBX%RU2-gdOI3Wbd2}EpWKx$t=VYtV zFzyt*AK41&{ z`AdxXMh$Y@b2k)y)QGA#{>tlVp*>UY5j3A(yMbYAIC@Z9ZYnd)nF_N2)l;J|%3HeU zBF9FpcFs^smnB=f)2i1Q`^=~VBFd~eG7?#xFaJcisB^FPwot-+WGa7+d_p|LNLVo` zphH~N$WpXUTJ>&8gaTl2cu47wsue1rwD5z)gzAd*@|h_4qIv?CWy7PKuX3MlBROBL z9%S{^R><+7g9{?jlz;%TN`{cI&D^oGNYbD&sDDcT8_nL9}(jp*gLB=$98w9vZK zs&6uI`KlO_#0zL)tYX^Ko||13=Q3;W6=Quuq{pR%ZBkBrTpk<4g_QPe{D%E;vi-!3 zlH$8frriDL%N+cVxmSUL*jCRg z*yYpH5eZ!0ZXXhNy00>St=}+f$|4_3deOsGtgf7%b`n}xa3Wwu0*jlx_2OJ8)dNmN zo8eQcEAGR5036G^I?>f6UV>8HK|1~Jw2F|5!@81;oJ9bAnu%n^4E8nXl3|>`mwbtw z<_ZntQWlzUM^$F4(yS-q=lE%T`KcVH!;e;8`aaik&AJw@T6pm{s^puU0=BfURtn=F z(aX@i)S1_Tjbn~eb>3I3AGala?~+gJ#zq=z=<8mq6>Jn27dsA#9PjNFBR7q;ejk~= zsnR@iS0_Z}ARTH0D(?nq*1rhE*{GK~W@OL;8ado3b0eRq?D-{8KsTEvYcRs7wiEPDOx;bDYrYQ)_;YG>2({n z8Khl+1h#FeAm1>6ive20X&7TR<5NtpIcbx!H<0Cg|4TCde~!1ygMi7}jv#rZB%77R zO?$RZ(#=@AuP185soNk07zQHocQ z7hC=NHqfSyk*vS_v20i5^X+T~8pQ9Aybji5C-zu+YfXC@x%R4;~P^KaUPocV3(|6sBD$4_3RKH~bA* zQ*Pz^x^Lo(Xpcz0ClpuTeRotsgfk;?X>`$Bax_C$;RLxQc<1QVAp&9@a**m2^yXt9 z1KHC|_>tH1?(@|p%c0~{-PET{Kc4@n@Bkn4XjMM16{FbjVM+AIhN8i!Gf7R zJs*|*WB!BPoaal)+GmHj0gYqBuS$A*S7iHUV@fzystPC;Ab^8>t zO>E_*jJCrENSnzJneZWE_3`_Z470C)R`Jn0HA6Tznpdm;WmYZ1Q@4;T3rb2=4>~d` zRmnBI`-S>pzNulzbX|{=kb`-u81tWjEMHFO^mQBCg?=kc$Xc+*kBH^oUZI^{@*#0< zt@d&Ss7<{qq&JA1e)k3B8O)a-pJ?mSlaRPLxVCdmc{bE0`|!Z?;P2$z_Ej!pds>xQzNconLMBCTHeOS$u{r`n4sS8Sl75!@kSVPB~8C`d0}bU za@XgtBFEYw(K}-C*wQF6hdZm+jR zQ9F2R*6dIEV=H9hM>8^hPtMz;M^02Fc7mc<<%fyu=7K|>k(bKZQNn_nk7TvgNTyJ8 z&+ouI8NN>mL<8zCVWZ;73SIubzT7lf5+j$#&bds2c~W|e2c#W^n+Sxl)Cb6fG_-J> zkDKL2p2l9nH=o&90>#f_T*P}l+ z04w?Hoyd74S}LRVNLYOIL?L_HO>yZls}${I9=j#u7fsftR?-gE;)15A#w=aFU43CCJUbKoaXAUPwTLOt~+O| z+}c|Ba)W1l;cI-V|CROB@D`~a`;2Y@frj5a41{*u)>eHWSUly5+R*=5#Flo(V(iUW zC-k6h!a(SoBe^=$KlNf@x7cF|an>x9DRHVO8=jJ^J80Q-{Q=+lVNP$hom*~7djDlD zUx;y@y-ntdq71WYReXs{-0oY;wnR-Qe%j>tj2X8rJh>H#vZp`7QEoCZNp(Wbl?BL*o{r@|=UGLB zIDALnPav9V4ZL{zf!Pf^be4CxW=u3*-{Bfcb%jTK!Jp3=ZjXRfQQh#^!=g;zMvQ&w zT`I`5bx*z7_%stk$oNN_ZW~yhaS8~r&ibbVRBL&%tI_ssFs|< zNK)NKeG`V(lXP#9i8{2p9AXT6#SH<9<>cK=y_q4mpHVA|Z|m=Nl2~S zwLCkHv3dG(GODf8fc_>11a(`pV&K)=$)x8J3Jg6S}uD&|VyQ+s*EF=rID;Q!`zU%2t9(sxi#yfxkZZeR0z|HLB3!~a!b|9?-6{-rw&_w5YOo@Ha}b@tW{5;+*T1AVgp8@p?N6iA@c z>hoOP@C?C6`acF7NWzJxA43j)(T{RCB&GGwpM2>cZ=|Dti7Cxv*Ll|Xs6OTYpp&JU z1a8a-GGO4fMR4bN#QInU4NCTAxXYi?lG^3R>&#R9o%%}~o$|^{3`=O;_A49`x%NL& zdB!El)t0059lS?JjwdQzBKu{jw5^I|zu}=}Zj_ZjJ*q&0wN-D|mx66ew~UO6S}gFI zdFY&Z;A269j`ifHf-NdqR$UKvoo}K&8fMl`&oHKOL0U<2jDgG#?oV8N^nx&0d2zM- z+k5}|u@Ud%U&JKQthFlv+YRu&$-f$Xf$+1M%EAZrM@Xpdf$F3i(ad#Vl-WgeB(-x+o`;56-PT{*S-aEKy>7w5;b=c?Fx$BYaPYX_v z1gu{>uaL+oXYJh8U+Ic;>=2&ymg?R+T)&oTPpm?Vug!H9lXn;M@(sLHO(kjf>!hh- zxnG$Ug}o0AHW1i^li(re8CuA5%RErA3bav#?_snc2zxO6Jh}hb zA60)Rr{rLK2#xF=$T&R;K;C~s0bR~2XU3X-{}T2v2cQCMbmNkVs|jn8@U>TokH#LM zxQzNvep2(w<`m@Yji4FB`{=>5g=Qr7D4P7(nf@=PSGYxQ>vRB@1S`N>BhE+IQE z?j-lIOCPZ@m3+ic4ddtC?7D2F^2W{NGn6!!xFiM;!Y>44mA5|{n|?q)XUuMI-Rwy>E`L)#or#hf zWXFb4?ByYUmi8i5C+@5px)sCuxA-Gmldm++{C#Y_^y5KnVhOIo;8bwdz5dI!TKvt{ z-!l8WtH?zzZnqy`*-oc5_2mZ%etbUu$&9-&rHrbYii(krKmt}oLgbBqT`j0tJ*?oP zC7?*?_%eBmbGojQr<};@@4nyZR{9w~WsGCdzeh?5*|Sk$SeVkK^w6ldZf@}J^vjId zQ{)$|9K&;YuDs3Yf4K_ZY<=Z1ZBn_U>kOP38w3iM2Arv9xX*@5ozX&-ZbQ-t4_7WO zp>}kL)3w976v4dhNCoyArjJnS;8JDe?;ky#kxinLwT|U>V$k5@=fMG7x|b@=Y^x1D zo^RbLHxX!iS~ok8LVRK}E)j|zi_O3P;88SFtV9UPt z(&$Jf5MX!+Q+{R=!n8UM6$ z`LIS0dPY}z#QfCo#Qz3Zg%PW4>>_b&%12kF99{qOHnrfn|4(4@zt2to>(saZ_rUz` z9xqRnrV*G5;t4S7C&gxujJ3%f0jbkce=_CH_I|o>vxkM}_#*?a(@M^jy>nT`(5W7p zqhq~4qPSfn?f9o!LmM0qsrU=@o#@x+nCwb&uAfdT@GtoGJ!EN^n&!pFWEb+E6ZNla z=XQao{{h0h5);WKC&lWanm1LuF=?rcIZPYn=c~m0$Bp#f&0J}mI7mov0{0x7Ahn?Q z0etQB%7=x|S=Sx&L?2~^{Qd){Emv1T5V{Jrukoie7LZQ2Qk(%hacwm{L_?IVK#T)^VI`l#+7pR-sC0s6wKflatw4 zjKQ3@TmGZnajmJ<*q_oYs56Q0m-GN=P3>pi8?JG>P`TEj1REg_@aya1>QQD;EkgoW zOZh<7WE(R}w?1x#1GA@{)G<$xLGzH{jZwA5##rKdMZD4Rs$INFnh!k?c0}zF3npwi z_X>B}h`)*Fh=K6FB6CTf`Kg%^FL0 zO!#=@pL$W67b7kx^9w<4PLkO;LM*c0WSaBxz~v1un=RmgTN0XCA$dKeYTLtRSiU!Y z^lkA;>Ft=97AHnR=<9Ntr9&2j2K|8CxUN9%)#h_^X2i)kM@;haOb_`Mk~P<^6qodA zVp=d4^YVZ2Pgwk&V(85ELHpw6T_a_u(+{VY2F zcwJ=2btM7w3S{i!nohef`lad1;ep*CZo(-qH0yo3jEA8Pq1UR!~4^daU; zO^STE@%p{7w&X-#i%5|FV1|oL$yAta{P)p*k!JLSQ1K6)jV7(Vm5E01YY#PSFn>gL zoFm?@=smL(`rcVuI(6|2tfzyXlB{wETyV5r$ga5xy~79XQ4)$RWt(xB1*LtC1f~K@ zQMiyTv+Xe$*MnxA9xLt()$eZ4M3R>(GAt8kiJ%d{E($GQ~^ijUIXd(CD`TA;#W^Leg6PpX%N_ zoXxoJ8`goglrB}&=s<0iqIOm7RV!AB)=2FciiV;_OQ{u<7`12Aik+&OF>3EUCZB{anX;AMbO#&vD;>y#7uiInUqu`+mQl^(*`?w)oU*H7okycN~cwcZ)$! z5sdr2qi;8(2RcI|F0?uSS+>b4!Z>N|bSVy#`8MyiuFZyB9ZaADfS(dqG;_~==m-?) zD)zV^nmI4uZ<@?l-gEw!iO=fk487tvXN^tskV6$759B{Q*7ffP<4<;a@O*fVThvLk z2D?VohkkAz7U5jGgJ2*zl?9q)yQhrb;obM?3xMf1vwkjp0CClIdxVT~u@WgR#rJiXWPkC#zphlUUD^z^%c@~c>F2y=QliW7mx9;w_kCh^#1uJqB^DAAd{=6jDjTTZV|Kt`--Cd- z>-&e8OZ+hz-q~l>MCgl@Zg|HbZZT0?4pvId{Wpp2CgLxXt}Cu6*{}R^-kAxDO|YGZ z7Kl`;AKHjsVf0u35rF$0JFzs+{Zh?3JuqQ(Oe~>;Ay(XW)R0tiG(|W-n~WHIkK2h< zDhXyf^iEXu>z7$o@H$8yOjeWiL6yWX33UQtc&kjB71(Qv+llr`71B3 z`v-;tQ5c*9G*7ATNJcj0_+Z$Z*8)8rCkLD5pu1(Yp$=AF?-RE&GkVwyZ<}nl`r_YU zSCXQ3r~L-boIIFiVu`RYx3&^8I6zs-R7ohd8 zZ4HaECf$LTh!ruOJcy|YuOd8c9JHJ3H3)U+edzF7>A>2Tx<%gU6l&k;rVe&<1ZO50 zDdwH*v5ieqIs6rRu($^4u?(KR)fBWBbFhQU!s8-%x&*3YC7(r@^`T-4oL$U3}(I)AD-ntruI_zKXdN znRPo$UNyX1OkVJ4Kde8&e;p>1w=cXm328{PU#L5cw)<+|HrVAc8iMe@R8~`JBSbtOFiu{lNre)zYti znd`_v<}gaB8><8+>?-nM{3nJk=JTMib@XGtREqXZ^Qyq`tcl z;({8racKt}=GnGxG8&h-OJVCMKkA0T-jDGU{s&M@vdSf>*1CHvLM9;L%=Z2_ft@y$ zeg>M)W!}f6J-zt5m%w}?!@BcydBpGGKfpeKMji_)`|D$IVET9G%73=+BcsQi_tsof zzfhlX05={EAYJ?QLTAKv6^>^07pGij>;^NH(r%=_`QNcT8kz#Ze|{oBHUWSCkF=-% zR#5MMWLo*FcAyvUm;bll2{g7Zy_c`w;TJXI;eYw(mP7X_kYJ@_>vuTsu3b_GW>VOF z3}_KvrMZ*0<`UMnQ^XDi#XbPc93W1=R{$D2JqCcNYQZGk4tM9X|5YBAxIhT3!ugZ2 zsmXp^og(PwRW`>`CzB)Y+*WX@?m}uX_e_I#;V~v=zr-T6SZC=@IvQ&a`NZzO$Td|n z1V0dW24Z_&ndw?|HUfGKMyB)F?}()Yt4~>{rsCbqs~+YVp}QPMJQJcNC$mz2{J7Du z#v$Fy1`T=wKFX5xTC;~BgiwtZiqy0YuNe`50F!=PAze4eKiH#L^`eKi>d!{r29EST zCe;%#Iw>YX&KbrhO!sCil2-TweVZ7^0G$KDQ1CSegq&~06!V^7S7TDSKDOsMW#yt>#&`}7~H zIy4<;%Vw&r?NsmAyO}M}by<{nHds99v?~wO@ojHZX6r4&YstpI=ns4=0zd|1G4xdNw?d9_bX6ufDwS6PcDf%tu38sm+lT(svPypfc z`FVo}r?H>rFjlA3zvk!6V@|uD{kaOAvRgKXW1CYaa+>K!wFgo8g9|c ztLwCDQGl1{FxE1~y86CHu9=r!eV_1E16(VA<7{FYFj66d=UltR2#;qF*OLY^hZszE z`sJQwdYisCC>xTMD3or0HzXAjw%%o*^ zg48%Q^On!NMVMctp!s9K_xfhT_pj|{`tBFT%G?>cQ=x44xzDK9*si~zS>k+tg?WMk z?q2dRfNMEoUOp0gTB=l`I*wJdihZVK&|K%R8*oqZa*Y(!#xjSw13JbWd{WeGsW#I7jBIfTm~VRR z8+_vZ0mJpXa`59SKrW=Cv8fw6n=590z)Ns)nqjw5vOl-ZYP^r3`4Z!?f6+_=9htgbQ z0Q7J))hziuG|wafPNgc4>_#{TY1$6&^ zuO0spYWROHb2@G|bAV96Bsr(+IKxoJ$UYw$-&793Gmn#i4Le~%daRrcN1@GV#C^s)A-0ka7Vvnr8t%nS|L#yi4Rvi7>}0ne6%W=QSXK5$+?-tns( zTdKx;xpVwHmi6F>K76rTkluk1E3g5t^138 zl_w26CHuF3c*=HNB2EO$yT+7RA!}jpGxr)tHpRT_ zUlQfvHz%|LZNkX>?bG9IYt}1tO0pg+sQXq z`?9PM7erNlRi)!@8Gnd}T*^kY&)c)6|-~MUDX!Ba-s7|jcqcMGr1D+<&Z4a z_xX7(Dv^0VBp6rXAtmqU{r09{fin*mzVKdON_qf*P3uQt!%E-nqd*Bm{B*=xLp+nm z6s3>xT&+sE&;l`WgwL7Vw_#?%F6UNn5pe$@I8-8b_+h@&Ht3E zd1={X)H7aac>KWd0;QJxL@CrTEuU{h=?;=%?0zBlIkMmCeW27BjkhwFsaFXae=Eta ztHx+X!9?$4F61GIUVw;)WV`}a$#&%ZsWIdu_m;I z5^$&V6e!VzxWbLtl@KHBw?7`Aw88|qxFtl(Hm@~%rssY7xLb7&ZU2#%Q^1itoyYCm zH(X`T@9h-K@m+txu2EqKzMP``XU1iEs!4L&j!$2Lw-ziDWl1;8BS1-yIumZssvNlE zKl2gv=gqQi0h}Zs=0r#wu9uk{+>+-^xIW_B0LP1{c%O6;^M0~e|EqfH?cDgsgS{{k zIWEsGH`pZ=ZnrI6D$lzs!VE0=DiYkrD*hg9)OYVyKel_C&6VY`YNxR#KWI|Gkg0(64VF^6Xa=MX8qAj2EMXAkwLAtC;9_)sKlvJ?rGpb<5CVM&VzLUB7 z2hZ^;HHl%!y=yh0+AL=xwq0^gu8+r@6KPVtan|_n@d(|}sE4Rjm_cXY3 ze~-|*`8Y5rDE`b0W);-!=2!O)jszH@9bGK}jgnhuqM9whE1x{d&!H5*)2D3FJ`c!9 zNfS;{Jp&|*FgAlWe<)rjG@IoQu)O8PgQ~1vR|67K`)c0Hy;t4Ft@*0 z2L~05;n5zhewD4+5R>_2Ps5*3HELf4diZ-4Q97!ng{(<}JxR*t3Cx^_E}I$h8@8#&f{$(|@?n7mQc$H?@=3JJ zp19hFG*ZWpF$HD_+rLCRjX=oi<&fwnn6nNW472k2h~)J%6HL-&0@m6aUe4hvY0p(s zF1#K`QEsDtgyW=#kQzq7-a2KQ{VPkwqQO34K`5E?3b$!>WnqHwGPlsS+S;cUeZ_Z4S1} zb2UIOW~?-3kv0`S)F@^OQ}(H6Xi~2h_}i3+o?sD1_3`EPG73D#SOapwe%qGrx4i;a z`gESM=vH|asTeNXyO74bun9?>{q4inP-{Tt`Stk+`f&kA(-VZw&V@ewP|+G%nALp3 zzRJ^$ZUpPlbi(hxWr}0%NzcTmeKn$p%!+Y?s_$;!vXtH>T9G3x*+c_h%)DZIKD59w zeqPH0dF?d8e3M-L?nCX?H;?wISU1qSX~ac8xpr4WY~}PyoaqP}m?P@CdWK<5uHW#U zRYN!*H}0!-GuCd#M?yIyf5KAr3Xzne&^J?I16h-TTJ+Zp$V$*+qg+rRYlWNp600dY z(@N7pq*x4>yQ~6g9mA<}vd)$}^X z@3%C%DQxV0a&k1u_h^>0bw|;C@^@fqpTs`uOlM$w2JB^lv-`L_WKCEf)ovN_v9Q=@ z!jXVTQBs_(ctA>z-a$Ann}$l!&#csMzx`rg{L}=upRqJa2*4W8Y`NxU;%3wWXLhD9 zJS&$Tb#rd$*jE~DeVl$WAZ>4kWz0PXp1%uuioloMGOMu8lt#|svLWiW#K2Fal-jJh zLt=#7CVAgl%rB{xp>|@1KA@y>=ml+B+q2?=`MGTw~yQt1kD)2^o)P)%P5(^H>q zM?VOn%&tWf!`!M{tTA&r@XJ@N!8y;iP1TE-XYCvC=vapS8GghUML`MuA=n+#y^9nJ zeap#0npgGxKciVe32UzJ3zqZzkqHI%H>b)1z#}|Uoa;SN0m7DIB2(o~>t%~o$HmAI zU@C^LfQ<9<#w}k%Z{MO;J^9d_5cZbOv1Cwlpl6>ptq6frhQb>{f@(7zF!B#km}Axa zYE9P%byVPe5fKN@F`;3JB$2*&6MuZEhE~ zf5>VRslq+@eK>JIVsSM3SOB)OYDtD;A(>s%rv4>}a?(siifKMLbN<;JYK_IWQz|Y? zw<2ZWsXMni8goFs?xHSX&bbSp^LL5?|D1GvB06>#34g9BU%&q=?()H-peD-zt0Is0LIS3>B)yTo%zBSBUT0X{kd^d*PW&2m%t3UBPr zPuRAnhf{4NuVnVAs4v4IlcTVrO>>dqf^nl?lC9?&uezo1jSM1*4!;ib^mj8ZD^npC zUYm%3C>`>h5GalZIqpR#9mxNLVqL;_gL+EvJGd=32(lG;w*{gesHDbeyVM*>-fN|! zi5X*LEF(rfjc3dq5EXqQq{)A(=;ZP-dkRYjdg4OR>wW)+v^eVU94fPzx%BJH_`}S* zFH`Z%^5#Nw)>0%-%+rB4VHO@Wj;uB%uiM&Gf@W*zUbX7izlLlQqLgYaanSwv{OkpocFx+BNSkSkDIN&zFNl)r(ubr%@+0rT-X@28yp={IS;1r?;0;u$>-QUBrZ6W!p~D{6Jie#s_45S=FUo2HX|FCzo)tyt?1al zOn?01;EF$Hxz_LFcGnl%vIFw3KO{*S8^}MLdJoukrB4c}PGgxv3va{yqB#45#NVyi zL|hL96qn9dA^Lte>`$W?9`DSJ~Y z8JUW^5Eg6hcp!nF1qH~%xez2-!X@Clbc0$>;T!oJ%fttT5(E!88Ia*_$(a=$KVr}W zUUH}w_0rW0zk)HU>2bec+S!|w{sVYd>X?JhI~cGUt7-)_Qzw=*wJ~MBAe{51;i=q* zi*Na+iXf%xfIIA7+1mT0v}sUH1$Hp0Fl8x^7c~p`hG?n>V*n}goR3PKxs+6#2vlU4 zM;9j#TPZe0w1UlxL$``{;!5mGsXG3^23b-y1vd@_dWKhP&!*|e)5f*i@KE|cK zhj!h8mk$ri0V8L$h*6$kgBAD#tgd_CGbtPRNj3#CHmGNrx!3nAc;q^b1_7nwt2CF+ z*}s`DlUe_21^+!><$uzen2HM_{t0pGr=|I5 zQuY?!zM<*XUZfcl$TuZsH!+q&*Vm)dsc{6zNkv{~pwCyJ;)4tX3a_s8@*q%29 z?>53LXB{8TG~W~f3>8#+=;(oywiStF>fcV-pW8M9?vkU;_PvSV4xm*M99wuB1p4YV z&k|UwI8rO^Y%Tk+y>5H+u-&D18 zju?y`Y$A!qUax!ZP96-K5JE21yPmDn7aL61Qy@?0uMEzEBY`&w)iAYW{E`ZwzNap; zY~AzUWULdJRk{(tg(@#WZ8+|uDrYVVOH=w)9Vj~pXX0PLT6z;S-ssXMKwCUz@i;Mq zO+!0uVD!U;#S61zrOrV0!}G&-y*Cni)@?Ey38U9UZl&RD*iA<(lk(O_hMz%S)9@2&(%4wDIE+N_;#zg>XX4)l(w1Qc#NjLG|SHYi+00etw_qT4FM3kB=-v(?3 zRTV--(p)AM64w1StrtF_l?^*YPmZ!GR5-rhU>c)SD8GUYjT61AbVG&8hB@-7Q_^x% z*DFa_4m{DqJquM`at}VPr#*JcaA4y9>?2Wr%9-+|ah>HRa?fw*v9bfy5Hh=>ms{QO zW_b+IcR4Lv3YfDzk25W?ZMjYC@E@qs5r>HPHCDO<6;-MrgC`JhdDOgUCt#(|-HT#0 z!%hxA?Y(2nv+a^)G589GR~}<+%=psq{8OjcNw%iuL+q6vRlFfna5{a)c;otjcjQX) z>LNh<2AAhi4OxLpyS7GS_1rbnR%@8;kEo^#DRj+iE$|66U!cO0B(U!WsGQu=0O9rp zd$ly1!TdQ0ccZo-L~$ zt}ZeJG~-x6Q4ds&@#aZWpFj&GzP0Frz zt^eJoeAx(lTkqj!V8j1xmv$lq$UX^(O)Rh=Na+8A#FLHVNi1Ey+g@U+%jJ`23521_ zrMW9SfnuosDruI^)*vL7y|qYN4a)`v-c$)M9}n2A+5y$Ljn{QKC%U2Cs;dV&hCx5| zlJSNke+I)`-Hq^sI;D}40@D%y%?WcicUeF7mc#r6E^DFlhgF-Kpv~*1S^hIDl6~Lc zPdlfk$ToqYn*i9DDtJ8qhV_eT)=6vH#e!*{ANLfe4TbL+qjU(R0WR) zev{R4qJ1K|3=oG`O{bwi4d6y3jRnfRxSQS2KMb%p`G#{`aj;0y@-;`vHB;~RFyYs_ zvMbsl`oJ13&s8yWFy;}VTBq9;8>8QpjpHp7-w$MZT&oDfCF4gu6s#2top7JCeH;e8 zBhV8K=5B>^B}z_|rcqK}o)uA9Wyx#I4}b>&B_4PLx;|8I1r9i|ZANj?a5o(lk2_ay z8a2PgL*a4>TqFV4eFHioTRBiOu3cw9ALQ^Lv+scgJA3-=r`CZb2+8yZq5{Ph&Mxq3 zbMV82WMJnBZ8X*mBcNjJj6Kj#J{XIy7d=lX*w0uT{iWkB-U5tOb;EG>t9Fi-0VBf+ zDR5m_eVe07-PG9^477L+zS1z)QaSy1XR+stUQNvFIdfbe8yB&Gh~ zYME=d4ji*pwTP(V<5n0~9Qhcr2WY}g@q$I$b^FrK0)Z+;La%X{mD*G`ncglxX~4N5 zS;pa$nF2ep5R?mQbK|S4Zf&!(kIuTL!^E;7HY=(d)YSL=r5FDjqmRrR(YSB+T$dG;HI6-P!JYHI$d2vmi+gibL{0 zWzp1RvYb)4x(6>%J?~w$2QIJ0VJs2RFVX-K_?3Vg-IHds&|*tBabCvDgF$@xpR6WK z(i5V>sfJCe6Z9+R-DfIJx`MPX7RNTTueX97dm5K67I$X*2F~u(DHxT#c$iZCXT+7| zH)vcyQ>LA$siifI4DhOkuNwq?&zg|d`*mHi&(>)Sh~f?*>g0=QJUON~uqE~_v-1FOWy5{*AHG)cYUjUPyCx7N0lfO_KOg`9X6^Dn zcPbsiXIUWdAlYzJ!2;w^e-~(awcc@~fL?Jp8J2~I>DV*?w2R)%!IEk>tX69=L+FdM38**%GTd3q3r}@t1Jhr;HFl#jC&!bpIeQdq&N930WjcKzE_KZ_$kqqy74%rS<7 z^jCGpdu3TNeysZ=v;tm~-}{3<3oTZYJNrw5g|vetrEk=MaB`*Ox}o0LEA!x{x$^am zW{n6Pa=0`S%@t^tES;4;xB7e9dHP3C`h^pf(O8HLBwTrEHkQq;BeJ967LF=@F?LN4}dN62Xh83%iL>Gcn4=xMJwfH zP+2}*pQHB$3%+o5FHLSR#D9u|9^LQXruVBE+;WDR$5SBHXt`@#eeUjIaGfg^pn!wt zluDD(aQ*!(U`b+ueJOtDA41+bRYI2jWFmu6-NXhr5@L;Fv(ozv|y9@?j|y zqeTULH_H@mh~z$ccijy&|4a_Q?qXZd(uR)8CHe9%zcj<+UGE*0``AF zqp1DHZGl~dDW>c0#)rEWqw+&tPxs)qaegc4ndT(CEWiIP?fx#eZbvhju zAvEqoH7&CDC#?R+`cy!e_3OZO%+GEq`b}RbvmC_iC{lG$+izQN(<+2N`{at<6jUL3 z*(77BkpRW`hu6NW)~Rh4EOiZN2>`+iL?!T^DJ#0Uk#blt*2;0(z{Rq~ey?3u?%~IX zmGdKbpOo#o4$FdSYt&|d+|7Ml+Jq%ytnLCvza2XWagdq$Nz(kibY&!1^{Z#$_=Sy$ zW=9{6T?u5JSv#?DW7DL|$K(1`S4vuErlLE07Fx6;YjC-Y|C+T+uqs*Q@DpB?e{?>8 z-JN4h;=tDOH{~{l+a;jIfHIfc*@X9+0o0v;q)xlS{$S6nx}FikI-!<{&ek(31b=KT zDP&np9nHUP7IQ(d^X+zex72h7X}KKaK4~^zowMnIV1du>m-)(IcM-Xf=}VEZIYm;= z0|8-6ku$Ekr~(2hjOsTCY5g!Prxr#njHGpCAY-tU^s)&K;nK&II&m|oL*K}8_wuf7 ze!u-M3qvz%6!`P=6I7%179(+pPuA-x!s|F@O6oQ3`6Mp)=?gH%`|Y7pbkrwyM>83= zUFmB2?uf(*s4``T6e2lSv@O%8H6mvVC`LH?C-TEAo$`a9er2=WHuRQiFwBD|-UFxp zP&Luk&J_?S*3fj7nSVYeO~LAp-K*CJh$5v7#MNzKQ)okVc*EtaOlyR8B3UwXy6(7k z>Rjc4IPi#^f2X|n5Kx)O`VVM+EEwN2MFwh1HCW3gQWFfY-43b=v@@4#%h`H%r8E-B zCYfB;Yl^i?bjRI(wAIT*CE;V3YzOpnz83T@p4vas_-DCzbxe_pR87#H*l^ejiQ zc6vjsy4m$?w1r+P&n;lUUEOu{Y&;(}-0-c&|A)nx!wCPlXD;nbdXinfpYW=?#m8vl zgEd0I?`ly}ju=hSo|icH%ts+YSeVxBuL% z%ZVZ92Qe3#o@T4}BIg7#JJ8Q!9;Ah2jE>(%Dst@{(S^sQ*c`nx8Eq99QnQ_JhGOO1 za^re_A5n*naZ!r((Ol^;mJ@b#RY{E)eM*Vv1eay zsZlqDNof|p$o7oDUDX2>Udfx}wlT6rf`jkK2J-DivlDORI?vCtyAz{IPQ;~e(Njad zp-uACs6!Q+^}#jOwF!bdKg5x%%&S{=D48@1Q4@zhi$f49Omld&xgfUM?u^B!#zt{CdjD4|gFl7cpNVwxt+%P1{A;AH|VcME4_#1}fUofJP)TAiMt+HJZzxh`+5j_?LW7GoLycdDt2 zdQK1MO)tJdcH0)G3N#*dI@h!ch-YHTFY*z+{USC&U!N_X9*0{E3v?9|^r_2zgBMnH z`uHSqjW6yxSGj5xs3RR4^%ruhr2&0blLlYztHZ}vo%iG2*0w}41w18gD70}qwVY2F zbzjT7oglNe)ziSXzUY~-xpt{oH+e5YU!zK*{G>NwxQ8Zn<*GEt5X-)8nv(Fu7_Z}4 z)cvDxcGY1C8QTsr87|p`vecbAdlxSNXeDU_p3$&@Z$D?Hd{{??w>TO&Ws1FGPpKlG zw zw&h@g_uXfUDCp6c~cI0qq08uDKW?QP`p&>G2b;dD{Hywx>6-Bhoth4 znqV<3Eu>+M;lWOXbjCV#KJ1i6sGRes$#s@S?C+WwMSQ`uDEXo_D0cs|H0q z1asd}))eFlY`qw_r%D!m%^jyX52zgQqpJ#PV~sFGKsWX=9zzf;5@WHMW^Jl9n>Ty` zJm0#+SBV`a%tzZVKT)L-wlkN0KwJK_5;o$SG% zH(g7g)Vbr8sB8Lw`;G=QA41Rd*NVQk>R1Q_F#k=bDc@5n&42m>x+r$|Q>^cAJk30H z%P#@912^~V&;qQC*??)U^Vqb<4y5m|4z?EmaTWP5u}6}>4H9o53}~ll57z=4>sRJQHjFGC%ER?TZDPG$?pLTb+?6@b0;G=!(1$wc=TJs^^O_Z!VM>toR5OV z%={qP?kalCEWaCpvk$f&r$yn8Km9rGHsG;a|76WR8jKtu{DljRl5#X`QUM!xjsMoQ z9<4gSzTGcNCoQe{C1&`9jbGJ7jlCIQQ9Cp97tc&_$xVYOIT`cFJnPgiaVqW=74bY- z8D|2H-i4kE`vZi$n7R`3WIOA{)N{xqK{F1(M0GZ`GoR;g7mf%Z3@7UBx7Fy=_RUQ# zRRtu`h>ui*6P$NKxBh{H^P9Uac=eECZmDoa{&>CKTRV(oU38%HGPJb()((t1)wm$W zvUXlpYlMWc?8oX+S<9B2BEwC_=Pfs&aiDT-Rrau$np=RACu42*psgmLe)O$RAoiW` zNVi4-fKeHwx#*(Xv*v+Z*p$@Qy*JDJH-ue=)(E`md789np=e#B8eQM{k{@z?Ho3FJ zLMQgy3O2+f?@+_iefcv)6*h+^h4Q(Q^VaFJ!>L@*`Sqti;M;JHoRqO)p#KK?r)F{fd zU8-TqmgRG8_x=|zCWUh8ZT8xXa5o;rOnhPvjG8d}GgkZ9@fhUz#z@U8<4V8dida(@ z5|VXhweH12XjN2A4Pyqh!1P2(k39bST_alrXjG_{Dx^&p@t0|0z59;onW@G%Q=mzj zcX2PM1)3P^bl{%R(}HX*f~~4+?3xaKH=G!YT({$^iu0jqen>1`TWI^RIV|JSDKk7Q zRyuaSh51;G^gImBWCb2J2aZ`*J3nDBACTsHvlO{DYWvQN(r=x~2CTJ8?#;r_viws& zlv(}+q;=;D>hx;5-M-PI#qu7}_&}fDQlU%Jf_^T4HM`PKY^1ruoph@5k#4!Mef1Am zk&T#4vsL&(hnYDTsqD8rs8s-=4SZ+d>iAv{^$t)+hgG{s##w|U#>46?X+M{6kABqB z&}?Gq4&3c|*#3b@a{Mp;QDe8iD_aID6|etffK0vL*?5?j=VbCkF`M5*Kj5vyE)h)& z=5C_8XUYMldeM&G)ib=)*(oxBd>~_Ow0+x8#2rXNr=d&*3Dcexwe#Ty^Hp2f2m4Qg6r`SD@yiD_v-dDxf}+$vAbB^wfv0Ts{$ z4&A_Nz17mXDP#5?&V_WcY-)Y~NjvS$v$s>$`-J{Wmr_eDO>f;ncY zlSKxgb24v?&!3E9`rPkacocp5kL(#{QHinI&4I*+Jqvlg)9#b=eAljRUwa=Yl!9F% z^y3q_-q(@Q#Yck=8;Kt&i5P6;+u(~ObO}UlI*QkIni%s?- zDSxZzc9?lv*P}>Rwt{OFDVh9q`La9Jzw2rxYNHScR4jmPdb9}8KV~jGXm1Iwl5;7J zGF|_Ey7NagYwl~&m!rh4AYTygrr!A~IlYNT>bRSF69$$eYh7AHOXmd~Eea6O2taeA z(`iA!->5d(WaG6PD7&K14ZmT3+G;%~^qF+Fsj(%}!qZ)bfdbf7XCQ7?brWczG0oSe z=OkK*h3qNX$yUo3RcqaA=Q2YUcC?gF$}((i0jc!hi$b=WPsG=(nv3)+Gc5e8b%@u> zgYUvNuhp9h;s@@c)VyPBFtZhhN(QnvsW~SC3@Eng3)2uT>2LVbdObZ!mFt2U>!mMr zj?YE(_gBe(GV|v6EwW6G{K;{UC zFgS_R{HPzWBM>pfUr zrFfXf2yc(bdOH~UzEREib5)ybyXr(S&!R;GNt1YBO#HD`qm2Hfzn;MiZEAU&Szwgc zVHsiV=MBDE!lNPf<>|C7`u8ZFD^aB6hwQ?Oh-!%rXFqe-bM6FH!SBP>YUdfQ;PHW~ znJ&A9PQJKuuBo{laixebl`SIJj0?_?frPssqjp{KG8lcZ|f#% zU8>Y-(0VC|BK`9Z4Ba6MR+G8v+CftOaX3mDkc$|_h)rlh4k`V(*aInl*YmEyhZHOF z!b`~w#s>0Baw?-4L1rY@OXsT20uXS{f9N3zU;Gr#_Ou%?XsoZwyxUWGu6{%Ki2-xX8jvu#=~cX|xJUf;l&HMI7;LWVX|RTRkCb@d$m3za z9RwR_b{aT8(cA4M9p;Ce6*{%YCSTeTXXRJ&q-OSIcOdo~ccyRWaL-jzah!9!_w*RS z2v+&4it@BV(aus0k-p~BR9^P;x$8M%_*uJ;5mRr8wd-93ZV+~G&?UA`$MWkALtVpY zE4yntb`5nv7ctF!9VDAgz~0V?Og1s444!?_9E|<-V4^n1{ejQpC1G;RMe{A%&;n|B zn~!2G)w-#9VCwEoeYg5MjV-bCdH89qvmZQSYm~q@oRN+bTB?OCG3*2}Q>y1C+o1%N zr?UGu{za7`BHfci5S1*d@N9HJG=Tfjw*H(O(tn~W>YQ72%e+f|?EFox=W^{bt!i_u zxtxgu_u38PF^A8(_U^}u*xWo*cJXpkOratBzOy>Un}HPPJ)Li4G0RL&7^>XAKEQ-6 zX2C@cy(|`=$I7)2qJArRtdw4CpZb|qL2J*$>aSd9y{yW2KTWKsXeY;e{lI3CQSQA= z?U((}e%kc2ua+34+gW(U%o?A!CrbR33`~*=r+i_N6wWh)1TLMrI3vF<;cCBuO`tf{ zP#>3I9#Xl_pq1`BJmkGHpaPZZQm0>Y7UE){OWu^A z%wLc;<|!gC2>3Ycg9Q=y_m4-Pmj@vi)j3D56SI?xC)|d4UN>D+_oYs2Sp$H58i3Zf!d*O9!q| zX2CrR*Ha&z9*@%0nl6vlY6$EaU8a?ZGbwvlpAC%+hNkVU8{svN68$1$Qkf5ac~JeS zdB%M0+`A#15*{ez6bA?A=P1aE#qDc>+1S0eQ%E&hb!(m<*AU-UN?C;0)O&zvo#6D^ zqNjUWWLVBn3fl&^NWfm3RGceB^_p#P_yp^95HD!lHakqBDdXegcpGb4Uu#F53$N8V z_4y`|kQ;?e(6OuaU#QCtr74!KXXt(1J{O*9`iS?EDC2t|?0-PlEcJ-<7AZhftcv-1 z?#5sd*>derFboj!6XP0IJ-=Y1#eXbZk2(uvQ(`Ai#13f4w6z^z?fsW(y&^!(s#}sH zy)ylJbc4uNeYiwG`wS9g(XzCPLaK0oJFa`y-;*G85^DQ+?}l!xxS&ULg!a<;JRwPB2K8xd^ucS1) z&-Rb(TA%ytIlVD4j^>2qk6kEVRLu+QE&#d3O!mH zXw>4TtUG)Zz4WFr_1pttzQdpqzrFh^70AzMY*jcP|eZEVt2G znHf04Zdf)?;#`T8*K$$$rNRxygu6jlVNFskoFor&tu%ay7>>YKpnl;dmE}U~iX-P! z+7w6PCf#`HY3P8PieLTyOyX3{0dWnIm3{*KW0<^hmCT>i6^wb(BvxREsXy@?(g8DE zL~D)SMi>2FR@ap>?yVK!ZV%9Cv;-aMJH-wbS-tu^#S`q|nKst)K^$`KynrgdrO zkBjUfb4oorjA4#rX3yM>5GGXO>fAxOk@Ovk@|zvLIRU0?AH<;T8Tk!q#ASh#eGvZH zx<__9bPe6Tli?D<*1m&1AL?kQ9tGA*m&L3xOt20#)1`GBaChD@E)Krr9u$5b^Xy3( zXY6-%pjH$iJ9hcRpww{c0$spXT*|7e00LG!ebFhaYb(0wGMDscku-CWRkCG<|HI8Y zbz;e@eOoUZUPjA4ExId~TSU`1M>%nYDiogFvpQ2{uGCY0%5sI?EWzPHgRhz ze|{XewE8*M?`g8UCht*YZ{qZA@XIgCJ%cs)x9J&A*gOP+ZOoT5e5r{&ZV})1%%8LP z)W!%)n>VM}ht*FhbVWQZej%JeWU#-D{9#R#`$z{;shEDqtDsa}|HL?B;m*NZ2yKQn z50q+I!>JGM^#Zx6EY%L@tG^z%uj*4B=e{(hw4%|Jcw>wW?<=zsqR7@d(2rB}oh$Z= zXZ>Ehgv^=`w$0YpQbVZkTDG3Q2?Gv%Kie1KjP%cdm3$7$9&H_+QQB~rn{#dIR{C)* zn!d3jSqty56jT}186`}X_*TH3i|$bPeU6@t;Jmf7NJn8kMbLjRn{|!(LpE7IybM-g zCB%Ys<2V<@X+Y$l`TFKFd+O#+C?ZT6#N>o$@I2h z+&@0x5w%{gP2wPHVtnR%ew!aCZ{cUNtVOJ*0G3@uiiwM@-S>2r@d# zM|Q;TZOx1M$CG$N{!6S#LI23pG&*O1Cu4#7<-nN(@%X@wR%G9x%HdClDA0@;S(cv4 z`KVf7*Gyz1n7k(Eap!Nnk2hp<_A}1z^WAvNP_8pDXqi$vxgYlV+v(lh-8iO=uc#vt zD}JlWjc2>E(nY~HMVEyF*>bzLFQZUzdmt#LAj`b!M`|tIJqhP3^;@<+-6S-$xjnaP z9JRZTC#%#W-Rc4w0MEqPu)v!J9$&uO;lnOnq=`BPWESAx4)8-Eorwd3SLN8+y{D0v zUhzb6E)84*`_^SNu7(n)1{{4QlD4Y$jjyaRi3-_TRdFi2R*MonPX1`#^pQvf7L}pe z(dwmB4c#0{TDrStMKC4b!xpd37we$jc(iK}#DAXd4{Y&b*J~ynlkX_dU{27`)U#@N zs&1%}k(Ja2vjYGVhG$R@CHX93GlBueG=tUH{D}B zPgU?IH!=H#;wkhJ4ja45$8_{7s#^~f*4a4ZpYgJ{xaw9)x^J80U%;y%$*%=Jx3kqg zFQTtR%v|NuWc`Ku z6giEvJeRwcato1e|2RS6e?0K>@8$pe`pv-+G$crNRX6At094Rus_H$ecxV&)zW_@Q B&piMD literal 0 HcmV?d00001 diff --git a/windows/deployment/do/images/mcc-isp-migration.png b/windows/deployment/do/images/mcc-isp-migration.png deleted file mode 100644 index 50990a846662804a2aec4dee7483e9653cbeeb1e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 35234 zcmce;cTkgEw>BR2L2Q5xc<3Sm(v?u8gMvs$s&tiJBfTd)peWKyfPfU~9qAAVvC=}X zQbIro5W0{MAnl9qd(J;+=FE5IcjosE!`#_>?tAyW)?Vwn){Zka)MmQGc?kdjFzGze zGywq4$pQdpuU$A#&+#uy51~KK_?u`y1k??43`wGiajjpp}(=AU2M==`|y z@b{%BKQ7zfqxriG5Bj?tEL^{yrlSgS5b!VXA09khjadHxE4OUAO>Y?Bs_9!8nz|j`9#I+Nes*;<@8b$`U1>)CmW_dvu2jXFyrlvfW>9DPWPFa8WxM1 zxCkkeRx9U4R||R}BJG(z&&t=8{MKbai*Kq1k2jc+PP(NkfAi)^k9oOV`y)q0d3N@s}sx%SQ_0ZjgB>* zEEHBF?>`E~LM>P8A(ZOv*{1Ts&%ajqXzlo|86#$;8VV;Q>A|lH3TxSpB_K?(P zgG6#i;>SF^a><*GI*m0?MrHfVk9>oXn2KQPu3!TM@Hc=o2Mvq&KB z01s;}%l^S?_JN7;!GJ#BgJk*IR9aVI0qkfTzDJbrZ&s-OuJGI?_DV|HfCFmi24k*! zeAV4L>!5VD%3T*eI$(biIfyHuduEOyHE@-BB zX>|-I>#^Gp;7p$#kXb_qmzmSA_nqYNOq{DKZFig5|9O^j%XYZm(EFi9*_@$|PxK_W zKxv2d-MyC|8g)ElBd>dLs1zpSl^P1T`IBnkryf@A)Ibj923;zKrqgNsXVtS9T zMSl!Y^-jyV`ji&YWPY2yR8Q)TkQFlclP#G7^^0uvQwC5r%tK!i zK-gJi^>6#$C%^PoRxfK&RzK?*>3tKhajNgW9iAt?Zf_y#p#1xWPZ&%1p?e1x(CRulgk#gQ(9`I_JsLIsa@eFyR*7{Qs z;N&-O*KOqY_VtqnzEQlzKVJ{#;a=+J0P2=(f63M(j&kNr9%TV@u42G&LmB2J1qrlPJ5UcNHS2`M#OJaVEE=69Sgopb(5-W&M4O}IoLnA)4{!wD|ujJ zQG>qa=xZfIltJ>6DC}m54wIwQzP)PWx0(_h8z*8AR64e~_B#0^HnQ@~fM;al!adI- z!uVBl=F>O)oBnN`KUy#cOnFqB#2=lXK1|uG*hS066IufgQKhETR37-V1lY_q3t;<p zvFA@uvm7`m6v`<>Z5LUorNLc;QL3h}$rI$>Y21MUG^^&HMDY2?*x+#jvCq_I;?D$i zPW`45k$T_kfxzW*K0l@q=afp5#m7~HnGOnz;huBV;D;E? znc+y2(0=(+7f(iu0nBltEwJI?E-7ANw{z{;yvJ(pDe$mU_{YWZlCCD355l{t1976p z1Li@sSO@vT%)UsY2O6QB*iQtV4x`9jNpje(r)$=woPoiAkN@CJ{26tl>wn3fV`L7% zTsnWNGk7tyH&WpFk))f=_lu(J-&XO!K{v5&%P*t*A~XH<(`0+rNfL3 zT{$ylw;Br*tojP^Ok8lCI>hH~R(F>tRg2M1Yc0hJQkX=&A?-A_j%_~tr9ISI0WCaN z%p#_o>;NM&fVzCOmPzh4)GR#eZ$nP83HG{xLqyP!w>0S2y?PWzDc2d-21+9w+3geL z`==~mcFHt4s~r%r<+aRosdcMN`;pE!Ch8-~IVb#}&1x{@-ntvuWaz0q+=#leb{1TY zoyz-l%=+`=rnS3sjD7B*&)Cdo({gC8=kr9e*W7+#uG30h8{>Q;!a}M(%fWV8Z6qTF zl^J$8Jw0s6Z{@QEqPB`t;$g-!BVDYX3*MIX?S_)Pjar+V^Y^3PyLAzntsEjc$lKt( z9P|>>-542rTJgf9N==I3GRwD{RWL*@3g$Jx+K87sz3|yvQ zBU&50K*^S82B?@_o&50X>&3JucNW@Sp6Sy^-dXzTm<&~olxDmH5AVRVn2ubz>%*MOjGgq@!|h!&Q3MRv_Nx zPU-RYf27r!emF{IZB^I2&-U)a9-ub2N>=&s@NXqf)R!m2Fc(UULju<;&8J2!}L z!gJ;pS%fZ)uXSl(k;t;~fqB>c^E%<=XauX|IM|3V>Q5gDE7r!(pcn@}7gM&nlevMT zx$>VQ^Zc1bYl*e@N0^w}pMhHsNYW>RuRFbe4eDV}!$Ik&F8N=-Y&eFnqnq4a0*E#R}B!Q&*`Z6x5uA>R)~(bS3Wq2hjafIaE>#PU%$yV>Se*>J`e zHM*R@z$9bN&{8t2+G;YkMhI-E3BA=}@#I!EBT@(X*ZkUH#Y%@R2As1N-qjNSlX<8>;G#IG7xiyyA4F76eM;NAX zTM9{TyuvBdr|)df2vB@@H|zvot|r0C%IZfq6b5{IdDf{(alCjIzF0{4QzPy3P2XAV z%Ff%|!{~R`1Ok~|WG&0EV_#}=;t=^m`5=~7d<5_ttG(KuA5dP{Gt$OQZ8|Dxrh4Xu z-}e4f6I7e{O!3LYTYjizUW<-mc_Zy!n?G>}RMNu0;Hw zvZ^Nx=9N22i1(#=1xEQL!_UrJSsRY`HuEjD#$KAR)A5Bkt7W~0TMSlsc@G>EH^N#J z_O6{fA3)BX-fnj3TuVBBCNu7?_T!PjKT)7P$Hq_FwhFYy>e7R^!F`d)iIIk#479ZR zX$$;~Y+C@wmFaRpU?49=YdA^&3Rl^&76r! z8ZFXUGc7pHh@g=$Sq0=(VZSd7?Cm478+CG#s%wn$h}BQYJj+8(vERZ;tlQsK9kpL) z5pe$Pc)9r_#cfBw<7?V|%WtbgH#gvlbw_s*YC-KvQuF)wTN>NybOZLTpwy1;2k)P| zPwBi(?b^6nQylv(I%Mfy3kFYq-eLVQOQsY0(?xcA>t0Jf?!adQ6EmdZ45$Mbd zs$CFt#%zBa5TMMO0Va7^O&xbDvRv#q4sUB8sU$Cp5Uj#WtR?r{k;roZw0eBuP;|h(qJ!<>rnd>GsqXEQ90$p;e<0k!Fj>stp-cHXW6UCpVumEd zZh8-SSmw3ZWd$a$@S(ih&_bO-Eq|8#X0X6D_pX+refhhU@4ah7?H>(OTE$O~{^9@+ zsN-CHULp&Y4XNr|h9o^HEUs?KA}BtZ`bC4H9@zQ?a)I>x=1At&;NdOOCMY9!nzYA$ zS?`KYo3Yansk(Ep38?G)RnGzfiGEjQg6&&q&%1|mnI&x-Su%Ck}utY|?Dr3@#*0wa#>d+F?%i77~ z!pR(V_AAsLmeo^GLSTXE@BDvI0W~q{-9AB8ht7|SYdq^h+)_Et0d7`l85fIT#4PIq z#C%Q-jNrE!Zy7)y<6R#?3|oEBn}%;c*hn@F=5{T-T|`Dg#Yc{mBs&W-u=2TWFa@Ov zkjmzS@P!21a8E(#a>F~Y1NG(p!uK_$tedtXKG4N)*hA{&zc%+!vw}5DfpI zXw|k_%I-L;^vmW1x#HZtnp6UZ{gbv(tjaHToBk(gQuzPz**OxcP$O)O`r? zdC&9m!2MIjkL8s(mdU6D9CMe^ITN=67}MThH)2l zaUQ{L`15E{m{`-#z5OAe2w5s%q;l{xm_=}xz^SGpr(D@;gIxCysoY=7 z4p;KCI`)Q@qyuEl4)+kfw*D76l;BMdjREiK*))b)z2{d?)(e8gyaA09wK5RuVF8f* ze20F3ID9F>BwB4WFmAPiCC6FnV2yT-p?GWJm(>BQ8(8vqwG&Rr^rPOLLC;)h>^!!2 zD|mp!h>sZ*u{z#)KX?YElcjeexTX#_iRgzm?k^7g+UUf4xYg9B4!p-FGqnyqKM9-t ztKKAN>3+v@W3{t8g>4pLGgD%IY9Huycy9AS7TO8?x`7AJD|QHeRTB0!lWDKQZ73~!F=H*aTH1YImA9)4Z+ga%?PjL1F+ium_`c+UWR&*oau(-|C8G+xF zt{j|Z-Cht|^_y@W?1+rjr;LO<9k$vv8nORS3M2Kd4%7WMBs0XI+>2@C35u7iIwDPoEVS?T!Pnb5?e`Pu{g+YgLL$=+NvA z>__Ug{=9QP%xm;(^U1ou)5ree!$BTtq67HmU*5HucMsqXM2B-Ytq56>yRP2l^aGpc zxY{QU=e7eC--0>AtYF<;vR(e6%Gv=wF{vDK$I_rv$3kW0bzKM7AWH0fgmKo(i@i+9m*iu4`CEdT_aB5h`z;?!p(;{EBX0-|s5#Up9cC>t{Md0E z^y=946mqai=s1$=0C#od){AE81;PUsg{zi)5>L(ynMy(nD9Q^GKKp{0R4Z!7SgkWP zsH!GQZOq68{XBomou7XK@+vPOD4ozPQ`ezG4K2F#Y=o1)xMy>xK9dhaDcK%aaFlHN z<=5f)$2}7gWlJmk<=E&kYp~nW_-a&L%dO-L8u^s3J|2rk&QL zmK%PMxLoEOnoUa(TW$1RQ^sYvWh)!z90|B@s68qp)hmE%KV}U$(KuSrB32=@9lNeO zo*qaDw~CFBtLlkpHn*4{_*IdEOyS{u-z4P?Wa2%s$YKFXxYKfT9L{q%GRcrZ z#-ZELr$d#)r<4J3vxF{|9Ih1dbup%3?)P%9bVuASraEL;iGih%HokebLA$Rwls|8- z`Aq^il=1O?4b){M7N@(u59u@j|E|B`)Q+sP1|5GFwW^)w$lOWPN4)J{EoJH3eA85l zzp^!CfFSip0ec3VEe+k?>Uyhj03nGrcBgh7$Edi`+@Gg;51z#qgm(;f?sSe%E4sK) zN>(vzwQYh8C@n~_&NgogGt{N<}RJ$ta*<$bul~wf| zKO-IKmel6U>L7}2ha`%(zpS~UHdY0;UJuY{#dP$$^!;euXfx`w6Xo+cnQNH?dmvAh ztGdX$BpslsJ6)8;Tv`AV<{butb>Egx%u4YWmxs&*`R-rS?ORG8s;Dlojc5|x5^>0Q z?I83fLg>JRL|LZ)RpAq0Cwf+)k4zeoH-;}8y5!|PfecRu#id`m@CZ-*2fhZDrI~Q3 zOrCz&+*(VxDDAn-*#U9Kv(5ve9uho~WcoK8bZKo6lDtl-32aaO+$$Vk73E|EBI($Z z(9io5(C0}>T&KGPHzgsb3|GX=jd4SafI?#lYY)6wcDYf3WSr)D&@%uW4vJXe@}q12 z8>0Y5=O*%R5gJF?7wK#@6+o1n+qFqIfyW6cxjt~6VWmA~+1TI1=K_~%GanF`)~v5Q5&)YJsy>B zsOB%{)R(fP?M_IpI@>qYvEyO25n->}lMG!o_7`|gWUI7m(#$-Tl1+JS+xjvwq8AeR z005{>k*)Ymcav-H0zOaBeYA(?Dgl?4&9eGSoNWfp&LbH0`pFIhMR7PjRt7+!?7?|D z8p53rnMl+b@@{DaPx$}p%Aqn9f`x^gezxm5PviBRLw4JO&jC_y{0EM*^3NZjJi(SJ20y zaql^HzNGe(vu-B&b#h>=?Fodj{~Sk>_j-7th?2oNHa0B%@HhKF;c1q$Q#>0my|qTd zJ?zB$dPa5&t!DlAWy|;EIj_SGF@&dj{8~BCW{=*hQ3S3~2+5vnX>L2y1(GV2mph6x*s#@C;wWyRB3^_5%9ZHK@)b2ngsqKL3yFx|+T@)j2 zZH@@6q~n~t)_2DCMGMXIz2N4P@-NN2ZR3T>*SLYbjZdrt;OK+PJM-83^&TKBW;ZC- z*zHX1SU=EHIR%^yEOJ#b`AdWtOYH+jdc!_{@gU5P^njPIgdVw52K$3Lh+ndtSFNn9 z6>g$s4SF0t{AQ+bINX=G>7gct42reIVU{fo^U3B4D@La$dFjrh7dxGHAU|0U>(%-8|B49n>@MV?|4j`o#gG`z<@wug6o$W~AH6zBRIZZoR(pj#`S(n5=(F*P2w*cHjokW^N3ahX@!lm|olQZ%IRW(;Qr z#3#2w(5DBDU0sicP=UNLD@oAQg2VA*l+TQ(C-!{0QQI4B9(H>FHZIgcN)NN+v0rC+ zQ^IFx$zIC*!CDa{RHxJE(zb>Xe-E`9oE=%>H3?k_0=rRHzr;Ar@X^Zch_Gb(NmRM8 zo{^QjQRuW(_;5fc_+wM6dCYEF8LH!+;*$sqxjOmuYd-9)SxAqgNQ7-jGz^n@SkYNz zg{!fD6=y}S9?)Dr%_v*-l3Y3xUqc~SbKu|T6L%*TEb<)I!x2rEW8Fhxk7kd|S^Am^ zxZGQ=BtSg_1a0I7Xxn$4C}(j1gXsaLk8Q;<VEe!YtP-9b6Es+xI)_?fqKyu`B1F z5{NB#lha2yITS2}%BDOF0z6HJS<23-{u!*F{eJzHc!i6|)-Y04LC1t*$i?Vt9#OZ* zAufq+WoxrpCUW|v2>-P|%fOA#`+|pAo_R1xart4#Psp)K?){lQ!iq!YJlW@om9;f} zm@YlDZ-P5hd`oQif-sE`BkcLvpsS=>P*m9-AMqo1vg-i!)a!w-Ae2 zU|E7ZWB(j&e;p%qFti_k-de(%*W(prz4S+eKH&bUp0o+0oeRRPJBBa`u2<$qqdj4B zqK-tML9Go1qCL>F^el`LkMPS2`FN?$XMc_M%b8WPv`u7H`MmXNIV+OmuRmjK@()Pu z56m1@S7{*eFF1PC{ObP(hyE`h_H?z?{S^Qp;09t4nfFGm7VzrspEneBTp4-k=}y4t zA|2ljxbem!_94IC~YtRfTw3n z%3ai1AX~b3|88>8F;X{<`Hv6b1!wFQ=tVA5NjU1;&RVIC^Ft1NboEj0)>il!!_RAp z7(z68v7Gue@Z$4a01y7|K)Py1j%2f*0jMXBOKK$6xovdQ;GPM)yDwSbTnW5j#B!pX z3fCy~!IZOfRT0J0APi|*%>$eY-6ppv)Z2JEZT3l9bx-LB>xfitAGm9pQTI5WVt`>P zO&azilO;84by_$N&#$21Xy&+S9EJglYOdi*t|1C46sz#tVg$5IgvRs z&$<<=oFNdTO+sBjGos}`SOtCiqf@k>Jj!`{F*OmL8js(|WcLSII`9_{c$n!Xe#H9C z^gyK}D_}lSrw=|J8X1r0bBe;jvum{cYx18IvZr&f&Z33JtnT3(R18oEt%%>< zB+xv(gel#sTCP7fk^1SGQ+`!cpgQUzykh(Z?htv8Ur#vr`KM_HL_6^uu_@Ej?K02k zAZxXkrC`&Hk5cNe!|omjC~Tf<5eZkawt<%nSqoNikH-v}vSOIs6mTBzr;OA2qb4Mj z16{h5teo;zzBlGy>pH6*JpHe^(d^8ewbR0TItQw+SU$nyzXa>(4V-2DnK3=}EEpQt zc6%$y|LVS`jdB-Z9P%CCY^gEL+EqCv($bAA;AVAgW4#mEWz62#*Eq_j9}Ytgq`t)n zibq|w?QbWVi1|+`t3`h7JYe8en~>Z6y*Bk;Mlw~$qdT{kP2$n) zunv{HDg%xk6b<@5wzV$mNn9w;a^759=fRXHtaopBRS*JC9v`kqwXL;f@hRi2Up=}t zU#RBq{Z!GALAv`RRvL{|$}d$8fW1LUQ#i)Aw@MLk3;J~ZKAUqG-{l+zSAmz{rlU>F ztJ~^_M)Sa8OJfpDV}xzbCq`S+<1|Uj!$A4E4b`HBT{mi2m=XzC)Dsg~!5@H_L-{p- zJx&u84Y6_+5|^#|s^(b+8yy74jD)N{U=l@uQExHOVbGb0dCkL>J?*Ui@yF2fJeoOp zIMxYk8B7>x_D&IkLLgS{1TCcZARn(uOj6Xu;ee~*HP_tkC%h)T%BJ3XOs3U@E_|3F zA>;XMMWYAwu?kIJHk+`y-iZ?3LJ+t_$4R>N^^AG!B!5;a`8Cqh4SGH*dc#tYuO?8c zYbs*kYtNd43gvNA(|TlZe*RG}0lALZY~PwCpPb0b&gjF&Z4bL(%_VCEv$jE=>6{Z= z$1C}G=@$I72+n!LQr@zH!Z6{vE}#5?mZDVE#-VUKQapH0e1f#!o14q$QTMm6i~kR6 zpnKAukvv*aEzcf7yLOmsy8C)@cpzR^4>p&ax7+-x8@*!F8&F#+>; z`mWC(HZsYYPVPsbPAX4|hF!yWAj9SWDYDXH?)jGb7OZI`ckfjPE(dggE_;Ena} z-ZzI4^kWG<7y++pp1`ZW6&QnmJUvCak_p?{4w#QA*mI*&nl%rd%lT(~7j|~A9u;FG z;0k;@x@*%}Le(*K54j<`Zj`$>wgmSt2RckFf_L^bL73fj^Bv#=uoK_dO1TfACuSrp z-qD4&cm?u!5CikV$bQ^21E|aGOq(21RxkR^_aJuBFAeAdfwB-d)8spqWDSlOHE}%b zENL;neSeUvvOcp^+J^3jGC97kcDfS!=TRTL4L1w}e-Bm_ zB18JyFM2Ta+KsH4%{;Ngy{twCKP)rKy%iXS3G;Xy#wV>RQtC1}U#E=la_bP!c0Vw_ zu$6rgy7sF_NXk2|2p?joV`Yq8m*p1}e8b%-F@HC7I8Mw4eDJDDY_dDuq-fy2jTLG- zqvT<)(LjKhL}T4UAql;{A}ChWGQWl-9V)^y+$Ng-W^?Y9LSuwhZHA%Vp04wkb<6pPpIVs&(ICuEnC?d)01GeMN}FBKi!W z>~V6bW#}PDUNTT}Ug6xN@J<$B-Eg4|+w^ZemuK!{5@P9DPhNhcD8Fdk8`^Ny z+^P2PJ=)`x=P5Ji1f-aE{w13O4zZ*?DFok0U866733#VfS=3{x5gDW`w`)Atr*^X; z0gCoxj;b=sdrRYs6Oa$r(>{Ep8dsh>s}nQhR`tihVCXol(RtxnSC55@&} zw)qz5Z~;dk->4;&4?QIAnx*h#S4h@&G2C1y&*h z%i^JoV!KYT8GBCbE@X8K2fVor(y2(fO>BX5L9sjF?Gbf4_wnI z_kGW4Jzj3YC@vXz?RDKb^Ed;Usz7`@v-n^;)n2En@R6k*1?PnUYK&%R1aKkhcmOy_ zYj9TeJ~4sAoq^{Lt}bYo_?CHTQgs}PAM9HBiLF452K4&%29CaLa5(*_Cd^=3fHbzA z47hExRFnl9OX!m9@Zl6Hztb_m@_2i<>IQoERlbnBM*^=}t?z7FpMj*&(caKD$qy!p zzy;j=yYP%U%e0S%L52@(EE3&h-i+t5i0qZcNR_OYh?xf7xPznd$F){?nNR%CDm(kj z^6MmDxu%J^6M;_!SeuDcqSj6o6|tEW1!{eI{63nU>sjz}#zv6hJx})2q)yUR#3i3b zWwByfpP}D?0bH(s^Q?8;T%*CQbp>}plGd4zQFN);_5l2xj($I|`4BqhT6+m&*-qd; zy?t4>LZ($1X>JN}DTs1azWbFmbW5Pm)pPui%<_%if5Q zpR570UbPk&;NcW8AwR!f?dqoD=t?Xc{NbgY0b#>}oo8FNl0)(NG}JTLIDCQukp zezvo!19MePX`sf#)$rn`>h1jv%*2c>Mx(#NL6UX1#aigXhqh z*@7nSl&9{`8t$0Qj@wOrV6AEdS?dOr4(2hN_gz{Ef>z}^qQ~UyQUchyi7Xj`!gZ>w z3mSyhCVQWy^DZu3hz+)4@mhZP*Hj;o@mjN!b5->1AiDH{yP4Y=eQ+#d+oKHr5Fv`bLs$bQwl^|yq>7-OzZH2zAZzQ z7(!#_e(u0m4t#hAccRz@oyI#bK>Ihy7e8Q|IX)(WSOekfrjx|?oY(E?&WvXr6JHb+ zFN|tLw{^=qd7zEwGxby9p@*ek97dQwO|}S0QKBYr8h-yl2C1Ww)(QYz8hfFU=n~8t z$2<#v@5H`4F74r$p7D0qJ{0t50%ArE^tkT1D!IjRiJ07Sin?a@d6F+#vv?}9Ru<2* zV}5FgED+jbF39C2DsTv+5ijxr8K)38>cqxfW(l{kweBZe%>bGjmVgEd- zu>9UxXNr?p*MdYQfx}IMsrh3wQywJlcAO5RRcST6hcawTqMwjaRnXqC5x3cy$GY2@ zoQJkW)C6ZYcgf1Ro74mx8{bxFdrbMT_gyK`3oX_jMZE=EB{9HcA`k!RoUuk^-5*JR zM|RkUArU-N@sSnOPp6nwWr1y?I2cFi3>TeJvldVa+ee#Q`09~B&+h`m^FG0%Xs9lu z>}kt}Dw;vha&f|LY%#c?X^b^|$#}e8)G)EQ)2w=fO@sBSq}$9bCO{ZlG-sj2f{)J8 zxgH*EM!8dYkGbf=^KUbJ?&p_7eoCL7Wp-LuL8XhjuUmKlHeOutpr04tu6+YN60_?= zyWwB0!HSncuM*#I@bGQ)=J^ceaGgruw^Ka>@cvJ#wjy5Z53?IEI`%&!ZT}Zz*#s&{noZxS?NHhKgR35y`OI~9+gR79^d8_=<@OiOd7ALzfhYS99h^o-=xD!uAe&C zzw81>1WbbImU*G6jmLY}x>P1Ed4_LA-><`D8uc?lvSRpKrI#sw&jgyB;>=>tCS;gZ z6*|_5Gec)$-`w~<>ryYT!N!1M*Lykpec>P7-(FTb^+=D_ch*Ss+0GCDaHq7c!>p}} zMJZoiVL+w3#9ZfIC6_n(OK-Hz7CoK6@d6Pv*3dO#%fY;Cnf^5SF)zj^Q-qO9jaL3W zO2J`?Qv=^dx^Lrd&r5K55E@C?ILjgNZ(@7etD!(9fO_y~DZBt`=AAYL)XJ=T0#i_V z`cPLlR;PHvsVwmF5Vvmt;2BiLKjF8z-%P@5*gIXi9gF`->UVeR$jH*Y^W-cu^o$8P z`Gym@!y#iNKdcMCNU{vAGBiI3hW$_($UWG0OxBsm|AsBOw%&gXQ8s#<7u1Enug9`I zcZX1Ea4@bEi7lDX?sFaC=GPMDPEmnG>TmM--yu^QC%B7-bNdUMiL!@dmC+Tf7on%H6wxkF`!R3>?XmrlD4&*`K7Hb9i*nrw>A&H zy4Tsdy0G67ltpQ}7y!=|=M6gsnKxLjjHp$$)<&A-pYTmw zYFq<{z6{TtxeCFz%BUbLsPoOS9lnBZ> zc@t(AM6)Z|>lbhe_!WX9{$9aOxF$fK3U4{{^-a4vqy#f7*$=nxpXG==tu%?)tn^!( zW$#yrE5?4VhGe=r_y_;OLAtn!UxGr{U}zt!Gk{UMKm;~mpU!{~fHdf+xqUfvp=$U}h?)E#CN3N4Ysgn;T(7J6e#jE=k zrVK0x))k~Zp;nf`7yZ|sK|=z?g*gJy)++wllePOXB2q&y1BJyrMp?-Vn`_}4D!Fv_H73R(xairxMBH{H^46+7zu)*+#< zSO~jYd7Wk(=DfLMB+&_uyAv&KBhFC9i8jZWVu3L%?4c{N@_)~g)-#l;St@>-4L%+1 z>W`T$%xSJB2Wk-0YVcc#felc`fj7e;i&7hRf%$t-&RWe{KYTLz6Q}` zdc=LmAR=;7^dVps9EwZMMLTLDj@3M|upP$L<1zO3TER!jb7E4|W#YlMDk13hA1uH|4)ZMul7PiiJX5iUu7-^*9yUAd+B9*CxFrPkU5qVkKj z7-U;dGbUL_G8rtyv|c{$$TXjQ?Yvg3;$B0QFrcfjWWPq9VTRA!lCV9zv}3bUT|jinTYwkFVVxVqA^dhI&Ix{~2f~N6nURWyVtvaAV)F z=?Ip-Ev2CM5fLfe!5MwsD)kk$_UTAuXaaXIdAZSuL36RWPuS4-Y06$jI`#^pfGUh~ zJQqF1tz8ug zKqb~bc^~~;GkHc=7qese<+W*A25v=P%gVAS5c}YQ{-x5SdX{kAd7uu*4pj1jdx!(6+*61h`0g2S)q}D{2QhVRM$E@Zd_l~BU5X65rva$Q$ ziuuhPPPS(Y(y4ojjW2-cQ2+pKnswQO(?a|jOyQe1f1iEak=VlGBZA^P_h;)NwbF3H zW5&PW*U@E5550?7a&e(IkzCo#ZWcG+EOM{4eRtAtviS&NkpBdX6%xcT`tbCGSE{3x zX`zBjuM*rmKbOS-N#35+PvfB9>O5B??M6XHI;DL3a-b~) zH-iFE?k|Q}sv6VqJK+gkjlOxxgsbXH`ye*B=#yK()K(ZFwy2-?y5>JQ^KnU-WVrAA90+Htyo z(%30;x)kjZB(xl-Gy5y3;2fYZ97hkCB3?bQ?cMZQ3zE8wT>M#Cmr`nRIboiFs!ZkV zEhvwUGST+1m}H|W>%1n_7;c1e?ZH^?kF0CjIC8U^F=)ikH#TZ|MBmc%t{xxfRQ%*A zZhqoh-nHvF+{H}gf&DgbtZ24agMWE_kuBzyww?~QD*z^R{aej$2wZQ0yArsTmRyFTdJ_u>4L4G)>bktl7G315p z2F{kBjiv7~@%o5><|_(Qo;o;6<&7!paBOKF$@%jw+4>P-YXr3_5wBACOYUvYEKe=_eP6!K*VUjE^cR!xxz*Pz zVbvE_6hiT#&}qaxHZE~YKJDa4cV%s8{CMGf=woD!I)g(DdI^;(Jgq7@;uWrSRMFLq zUzj-fg)!$Pv81f5x^Wzxm|`oE?Nga(7{%HBh0Ei|UoRgFt`Jeh!}ETVmBp(G;xHAD zpU+si5fb&tvd$5@=0yZ}7*Dhh2FUxpjT@I4>h`Y}bp9t)9qj-zd1PWSzts-KN@#rk zh|A3E>A9HZwdK!oszH2n(MnMvPmU7RNjr5ScI3kqG;&1qG*4l$KRAo1)P>)fmhbdY zG<}0ptuyw|+vdQLO^dE2-1sHcKEBAILydhnB2-HA$>1{_B7^^d{V_-0_XJTQF@Wsq zXReFXGh)Zb(}G zm;(d5=r1=_+a#`x<&*TY5vO`O3Xgth*Q*jz6xReA18KkgdfFRIO3o%5v2Y1d!mHJV zOCfw~k4|0}Fgy2c_+y(_nEUdFL~B_KmO>nrvS>*=g$#0!`$~&!muu zxpedHmgMQtj+lUUq(*H15eKk5oIcE>qSd?IdfgF6vwjN=y|911b=1|MogYH>g(*8% z!6sBjDOc3#Ha_QBddT!I9U9YK5<=qtX6KgWp6o;-Q{Tv2^e^m13jd8)rjK@E=Vr-& z22l6m@3qX`N6lrK+D#utf@)JMEjYE!O9rFsTxaU+eC`zwg0&ecs#B*Qdri}> zjJNBs339V01sb5LLC|{Igj)ZM6jd153w*Vt9=!O|f7o1O!Z#(T-3mP`Lj) ztu_{zoW?$*a(g7Vl-}%}%J={^v9zLJ65~!l+=#tu)PZRz=%=*H&wmO4G|xU<&89p z%>%=)a0S6(0*%fn|J|j-b6g0?(d8qrEK95z2e=BRO7K6x729X!NoBj!cSX>oY;;bo z2?t`y=ajRwi|Emu1U2T z{xEpv`)J7>!5OfB$wzxi=V&hS#gx~zYF1rFnV>~BXvz8r^oIsKjp;^d9A^?J6P~6IWLhqJ)IcXuy?e0m2S@O z*ZKu=8k}4v9M)lzjZo2z6a{-uo4@20#_x6OvK^nvVNQx}RvIs~xZu6sN-ZgIf#s-4 zxe1Arp0G`6)?O9?HhaT7Ho*R(v%^B^6_W@;d?{p0B z`pN3QCtE}KV}+t`eVn?kb^U$TZQUyU`1i~{eu4g%OTU1xebuanR_f$%PK8-ywaSR~ znSP^_=t{=irBQzKEn9)WOb5?thPlmlur{or8BJQ0bNsV7s^gVSi=*HA-l)-yI6mQ& z`ukon%q#G_h@^+j^Wvo0>^{DmP_x=ptF*LOFDc-K@xpUCf0Pu<&&i;V6*{$9zI->F zQZMdD^SeDAkeC}1=c3JWEv1BP8R#JQz1q4?GW(uV&i`xvk0zX>b7BKqOg`K-akQVQ zriT_m#ivHLbzKOVeW z{=;7dMsLEs>Qa$rJCn3hkIt>ytaBAz3cF-$n9aVw#*0%c7*@88KB%8p7~wJA#9ccR zTYcl0N9xGG)$LP;sPSj)kJG!{kaY4PppYjp(bZ$JkS`7C8Owh0j!O-mw@V%+TH1vL z%Eo2P1{H}Ll(Y?jqA&52+X{xRxvu5l52adv154br6eEilW|ZnPa2hiWUhYo@qTj>? zEY^Y2UPFV>c|*hVw!NN$em2qEhvX!sV^BECsI7ZDEYfmATaJ)By505>XTeEH82ah| zRq7@{u?N6GC^g0Axeo44Dhv4ayuLOa|A(S7XH@U=<`_l^z_2Ts{`Fxe5jXmen1jt1OMRl76>K5xR zXoS86L&oK~|D~>`R03eTt{pOFgQ@WGRgLqv(YfHJ*{&0)^z+Z^Cp#dpfIpJR!@6q5 zpw`~8@m5W!kgjgj+a?8Laz>L);dad~sLiu{IeYy9&x<>==(2A4{Cz6&^sPMowWwWD zA@m3!fR*ly1Ke8tw_g%qcSVCK%HrQzPk?e+hAz%k@t9YXwyw^PB#tPH*;BHE^Ga;F zGmT22$9)6d(HR*D+yn-WusPSk54->T$Nd*$ls|sY|K&Xx{|{8y|LXdVf9byf4mus` z!iov~0uyz;zhoH`0VP{o?pYx=_5Y{5_l#=l@47`%|A->R28aqM2uPRSyYyZHQUWMV zxXS^Q{ACqjd z_bH{oVJE0sR*gYhaM#Z;0wD?tIM}W~KOHLwIQOLJc}TJe z7neHxwIlQ1Ls;2ue$dpye7y%F7LgT0Qz+?nKg}#xIX5t(tZJvl0WD+4LJAMB7Rz?u z#j`K70_#J5WvsvjSv8Z8<;wGOsNR#kC=OviQZJ78O|y2@4CAL-;otYIAB?8EJ>x$X zQ@8PoR>X+JT5%Tmdg@%}u@%~hQB9xrpt9aq3B<=1AG0}l6RQfc*C7fZzTD=4c$T*{ zt^M9D{Mfp>N2OLCo)>7I)ARKH&Y)Zs*FUzX@)fUFuTR@N#dZWYHyqdH^b zW}J7$!3hXW{-G-mfPr8DzUdDWP+OZR<*#ief-DxtSH0&McL`g@llRcoN#jpUd*zf) z7&??6Zj4c&=p$8V^5|C79d*zvUif}z7^OL5dfIv3@|f_P$8-cxo7qn#uv;?nCtm1F z%fBD0Jc2$PAzgB#erkTvVkZnybF-%LS^Y&=`O{own>}%KwRNdA?>8X zam!^zC85*s#aoWI!UV>HiGtmB)f6*Xn_|+>uY1~B5kz$ONM0>23(%0hhm%98tsvO< zw;K-oi|v#UFerM9WM-K{T1?=V>4(0)b4SpPmFjC2XV3VOHPg1*X0gDBz=Q2(d)5iJ zB=7nR7E?Y$lu1JWTaJSL$(Q}c$?{y%;4275aCyIwdZ41ahJ3D}L<(qI_RaY)liI=h ze68@q_%5}3Uwd6Dn1b!IH=^%aepo&TvD(@q=5JhuF`QU$ zZk5DRSDkJ@KTCiIMvIXx-ZlNQx#?oCbv#~1nRmCk?_vULyL#;oEG_6{m5CPI!_d4` z6<1ytb^u)r_n1JrtNS?wv(`4p) zwXJLau&x#qI$60v(N8NK{{jDk1j9#a#zYCat>4}-G#*Zr7u@!Hk0<9F5lBPz&4>c# zuekhw2vY;!X|!cqL@^Om&iQ5-P_K{ZDEPq<)+9r3+lrNPfcwI5A$m=oWes>5b8UfJ z!1A%g%Mx%kw0>`;9rkO`y|HS;+&bI?5x-{Hs%jSbNf8IMiNrcGObQmkS*DyuqZ3@Y3a zSgML*t$heuT~?|INIxJ9Uq|a%-(~u)#(ijAS@m?{5wtqMBet`e49ysA@u7I{Zr*14 z5JsWnZ`$?S@###D{x019%{yf$KE77%whvuxRs^QoOX_0#nF72 zP>_-;i$v=CC{!MwDzd7X(!;+^@>hLURL6mM>+qt>*k*IhuE#~8N_(-3aTRi>u%0GE zjwL4DK8-*x97N`~Z!TT&_LGy@iq6(2NC681)i`v~J&h<`V#5G&NUfAN9v;^p{FSkf zdvX06ce!!k9{0%kkYSf~-lj{;+3P1H*O>LDFTlMkgnJpS#>6sf4j z1hTYI#AahF0%t$WU47Z&xJ3<>=N5=;U7@wOf0AW7jkxfth|mamHky8@Ib`sRVJrfI zKwb@?r<9LuHhS@l5}sj!QdrSH4&%s3bGs$tSLO=p|w0HY(~*klREeo-}!_MxWDStuU-^>G z0wGN8rSp;>3a`gfy-vChTrd0|8!p%X^DbTgeRN{Yc){J&RMzjM`9yZ#Wv%p#gm)(H z!4J~LE0D2KhL%9pvNF1S%ajK=;`?srtct;{!=L(18H*OFCzWoARdG6($ysVG?-Yz# zLg0S=9v%t$ica~T@`^ezKEQBTqXGbiFT7Z@D$ceNo;>mZ-r}C>`E`Z9TF+Fh5`FZ0 zOG8+4%PK&Qn0=s?KA5woQ z2OZvu{umN@Ea$Eb&3Fq*ZbD2#;o^e`fTav@Ula74OrK&5h)1u;DX~cz4bypjq0!_6 zCeM7?B)j9mhxa=qEugaX9s_>R$XNx14IEQ9=a+t0JDaP%VBr90joAR=i-9+zF2&>7a{E7 zF>NgCEIh{yrZPaykha?}ossNbtV5L|VBx?{vD{1C*39JJwSHLhI@X~Wmks5ufTF!= zF@p%}Mz0O8%-`kK+nCT@Iy8&04kUc%#+yb$Xi2h2G)zDI1?5s6;6AK!b7 z^}khJpVv3n5I6*g#xb19WZB`CRcdtDb$ z&dQE;0CyN+!ip9jFOU3WrwlAL+H@$o;EF-JviNF*&W4C?x%4Ao6lcXmIChn`8;*$U z!L1rw8#?*^HdqOoV99x+*v0ZMol1@Az7`V)$y*NPc*TfkbRrm`t%BhFUm4CK<+h8r zhSZ-KaxU}d_~=186!vxVrPsnVS}$f`4DGR7t8pcKw%$J+r=t{5qx-m)a2e7MH>f$NX>crLn2*0F)}&j;D2aFP*o1Rd28_tVuQ|IFPbr}W|FDWxe~o7;kohVFFgicY zNUTj{^R%3lrVfJf$^IpV8LDOI62MyRMR3HuOLv~4I(C!VNHdYv*-9lFJJ>a%4uNCGlOD216R-MY;d zrAzKrg?E3z-YPAZQFj}ly_tORmd|VUuU2Ne?z%>@H&5853O&Rcka+*J$HrLuk1u2D zBq|d@e|F(%h60w{vnfr&rAliNcAgekE8|vV{p205`Bc+yna7=**46Fd&d2S}$DRxF z9EU+e> zravpv(p%!^2jbOh1Kxg z2^x2kDvo`9V)YJip353$3M+;*=pa}vTeNLV7-Z?eJDIL)gw<^{wkS zV{YG~dL9Ts9MwGo18ozuc)2AFlhZ16UmmNIYAW8P zfhz@G)~$96v&8gm1t;A%$;XYMZtBRoBSUMKX6+E{rS)&NU1d3>9dcO0*>z|{K9%&^8lxn8 z(1O;H9jnhPM~*$0oFb*Hp-K>JUXx+Ca@B?VTDzSraQqvz z*cGYR^3A2|l%xPju(nJ)V(84SOJ{t7D6yeu1{gID{S_peEj5ZjM4=2nu&DT2*=P4k z)+`|rA$%RqdCiX3OZkGbi7B@ov}Hx|-EUPgoi37W6}nk`r_aDvdy7U=2d>2RxElme zIbFI>Uxe@~F2Qg1OmV(38&x$dgs`;shY$>eW)cQTE=xFnn)+MWc^ile!Sj4pcFcfv z4-no_h^(px;V}aNE_(Yx;so7*Ez=YTxkPpB?Lu7Vq%q>YE9I!5yNKdK1Cd6HU=DHD7;?@0QN(o45%_6=^d+ z!jXXwQOPu;e2k0FCf>BlX`ucRYN(mSeJ}Ydr=DdA`lakRQ=@r`=@V+p z+Tq6`-P3=k6vXB~VKUhjcmr^)P5=L5Q~UpJF8vn>TfqE(N;KL&nZS(M_c8_qXn>P# zk%vcxOmDkO+P^0q?T9Gxy(dt(snx#*+$*ZwZZM8@!^L#eI6p1r_iWH&?@hkH?vw#6 zt%(fo6Wq?~pwWSq^VZ3{gKTeDxAIhM(%_ zq4j;92FP$Z?yVX{dyk z1@wWUk6o=cA;$s0HseS>m!{4_j3Kjf&nZ4DH<{2|wMnNTvQ zs0BzU9OtjXOP0`-@vX+Rgj|N)`pWT2!R1rcCn1U)G2vC4JE!3H8Sb7rmm}8nksXjM ziT({Z-Ab0Ky_S@n%CfRN%D&>II>JM&@U>=R4Tnd;)1aCF79>Rw-O`u+OVOTSJHhD{ zf=+ky+aqw&&;BMItv6ghv!Xpe_umMUDa{^G4Bbfp!otr}nl`}7Q-O}Eqw=|(yFOkt zEswtNwr+-*H*O%!$nxXh)6l6Z{@E`Y7GDVSGB)iW?i7{qv%L-`ltQx1hlkTMZeM>$ z?JY1a>T|h1JChi(WM1umH2uk7xuL3{Xoow>0v9a=vF*IzE zsl`-o2%Wv5ypcSN$MUx?OPxI^J=tv&JU^lkwih?2%_%DRp>6Emc?-dbm7&8Gb< zRhMj4wAnDO2S}(f7AOnT34b9;?3i88;sudc=~(bBmTZf}z!25veW3>T*=z=a(imo6 z=_JdRc=z>l*sn4dJ)2r_sHq!^WB`B#DgtPJP+;+1##s%y!o;K0gk2$9BPKnBIcR#9>fX+nM9 z#n3~-JnfBmZ31R3HP)L?FJXF2toL+Pd@G1mFpHkxuUyT1u8E05@=UL_0Gs%8sXG;_ zv6qfs4J@SHvuvr|Ieq-zm;ZCS;7)u&S*Mz2Le0DL;_xIhFwdzLIN*LsNh1?+?Y`XH z>4sQE@c;l-oA)JTX%=8T4cRxZ1x4#ujd4QJs|oplML+=%jN9|hbSfuC1H~8bXehv zT}XQLKZIQ^ltPUs<$>SFyA*j#?_YT{duRpn$>+nRH2KN0Wh1w`;932f1_(npcGdwO zAff)b!Hd%OiFDcO-DgB%vnGdp*kwzty&iXy9F>5*Y{^I~J(x0(rj#w0j`4Xr+q!Nc zX}N(n(t0Tz>u};NH?-YqGUJ#{iVBA-P}ctJ(|M%|breEYjvg)E(s4Wp`r)^|n_qlr zvmm||Oy|UxZH!!)J`F)oHQv*v#WvRf35ZiykT_Q=!0CjgW48-kzL_dC^$!?n>-0VF zZ7rRq9mU3#R0L%XWVz(2>s;4qkY1{@N4?k89cVsHT}G{Sh!!cmji2K;*9r4c6K`cr zC)*zKAm@n_Fo55qBc-2avh|R8F^HWnO#qR7u@1Lda0 z`m%!$+AHQ=+`s7N$CljFLui|oy#&IB0==~|RRdjjNK7!iYMpZC#aRE$Qp@%1SHYrgVvLmD$KeVqJ9xB9G)<-v5H1ykB}mP$pIk83Uy5(edZ^wlmj zFTgy23wh>YW+6y~XSgf9-{)RXUno0BB{)NF;_UCU0Bh{Dc-{fQ7x3_1T90dDxB$_6 ze)0UF28t$Le zl98kx{odgc{w{9QYv#utcSOb6p3 zj~~|&vPt`ePN|GTRMjj;%4gG#Spej9qg4T?(Z-jP2A+p>@I@!`lkt#?@PBP@izz8Z z+IvkBfR9L&SPkT=giu0~ieOyxq^hp3Pcy&E`u~8v$|7e=z(L|8rGXf?S1f71n92_ez(sl@Iejx2^2b?ecwe&iN&y!0it(}8ly1vPzvPj)MX)O%(s!6#j z{^syMu&KKd+euH!{AeN>a1yi3+Q7wJd#KBjy)k|2lVC;NU}8G16KN@SA$;%QF}X!5 z*Xvl`*52foL2jLSpo-D>AUdBuwP+%&ht5E^@#~dX`BRS|6;B{@(xm1cVz!c-g2dim z@IDn5-{a#Zvvse4pM`#dunt3g^`UR|p)a-xg~$NTfUPmPLYF5U;jbV_FnZunAAEIt zvrn(2!S{{67(u=rvOoQBHv^RJr3Ni+4~PmQI<7e%*ei>;w5vj|J=21VGhJU4$IiRe?tBVU){2wF>xP_*2iEiSi;8k}Eejibw8_7kX8FH%{r zb-RSPnR{RF)}SPLqsP$9*kyJHHA5(eCKeHgozsu zdjX4hH%8nfr3ovG@9YT6zW60Cu&27iL)1|^h0Zx!U@q{c8U+ifb!WwaAFTvUw50xi zRCYT9jXehOlW@~746vs?T8I$ZZ>w48-|*5^WJWreoC34ag$Y>2_wJ+Lp8$L=@d zKq1+JHQ_HO>6gVJ9se|@#mJr<&q9zdNArH%-0B~?g$t~u76Xe5DWQ`kT-%4z=qA;k zg|9j%V?qPvwqVJ2h%a+LhJQDvRU59gTetkU-I5r7Bwd>1x>yKuE??O>3TWR-Im#M> z^=vm-M{pdhxpp4=*<%X*nT`&pu|@mXXTmSk%aB@6fs@J4#eb^Sz~$TWAcyQnIv_~C zoo^@gHyUTnil{)U)hnOeh3ag5+fVkwn{MGe>mGUVTvt@|`+L@v?m6!6hXweBSsAO{%vPUuVXwkukgBhvGHK`vWUmw37{&F;V zUg29$;4%$yXQ(pVi&8ZGwP$Bh4uc$ZytHAnJc2c<3tw{{!4)5|_U+2Ww)c93mqS=wfsc&@c}8d5MF;0ZI}(7U~L^2%P5AD zrii0GzsuEo2K>EPwiT~F$&bE0eX4~I?r{$$Td#i-=Azt2j`kSl7uz~t(WyRG!ufUV zk4~m^c=3!hvnFpcgnM)L=r4B-`CEq|uOjV6iFElC&-I-S2@R~Ix?MA!+t4oCqo67H zk<%jd|${1 zD40HMP2$9guKrNG%18(77F=@DF+0m|&n;SPtGj0YZ23 zWv$td`|W&|6K@dF4XNo~7r_EkLmB_L8F%B}Srr~RXZS`6IT;yA4N0|d?bSUgBk^bl zmtdgp5(_T|yc)$`D|eE?X`*JXnVO0X$d^@15(gtA#O*B~heSN9MNgWTE|xzJUpB6) z4;J^v=hIxQW3wp>19))^>7B=3aE!EHzI=YCi-&VvcEG#@J2AL?o4Lyuu~RftR}G-mEW+=lb~5XZ=oJ zUz6lp6dwn*7;b1R;(gu>26+luTCHr>!O}V@bxItDI>;=?QlrR-#(qfclsS?I@=a{! z4MGWhz&hZU`l@EqsvC1A#&psbEKqL}u1`VBn=kDw!n#mPME6I-`^(ReFebRSoW@G&($1ORwvlF%Q%JhjA+FvGWqGMbC)+=xhdh z{@%UH&V`hVYyhr1C9eqts^nnFtPr?+EOCTytJpjuC55q`UN8vlFK$W z_q=x12jn|)_gEfo)Y*vj1Ft=I(MYC<{R5VIdw9RiAXso)zHn#rn6$PXLKo7=esxR+ zu(9xZ=E^_AFB7+c$Ba6=xgcv^xW)Ci`vIl3tjB z9m$`eR7YCs9Qeazw?`SWwNfI4aUwcxXS}hwqb^CRL<Q>{YBbFySlqSa? zsY1!&YZG$dzO5Dc0v8EJgx`&D@h1~up_7>0S7Fuxl&uEoegY7ttU}X=e!%wGaYuH9hE`xEDF7!nt&CHs!2C8PpV>lk+M1GDoHEq(T zxg*Cr%XYH8_mn5NUu`ZNI;ND%xwln_LF6#49`e#2*2L7c=%+NQ(1h?4R7GgeJ<%u^ z_f?*@Gv=*pf?IRX&(eb?weOt-6a87`^1w@^`yNxyopl6<@M-14jB2Hj|H>wJ$ySjt)Jn`2U!T;#f> ziYJ(uW{w2wqww=BHPj-sH|)8qNfMQJ9e>Tvelw0B1xD=bAoW2%YrGwiyQBb(t&B=B z>@4qnLF?9otsJho5s8H(K^6#keWO{Hvn*75`;jci5Zh{ar@Azs+&s#}*|K*JyyWMJ z-Lso+A#Ob9$7{TSNayH+ga*ft^e2MXf|tjA65Qap^hm8uSd82pe=pSh^865Ml|Zje zdz_mgyuL+((iL#DH@=!^p7XA3ZLqPAPp3|7+66siZF@p*_yXHXzq zYo%cLsPnbL{d_ZEL4<)_PrUg7^L~qPUZ<;ymb<~`iy1pU_Al~13W~Q!87DG*3qGv~ z--elf2|XMcf>5g+buA)NpAVJWYyt41N(L8I?sHdw!VEFqQVMBjAf*Ec!xJDJXXD(? zJGLF9sALC$737+2fUaV%>Hi}Ru>LfySTDQK5_1Gk^PWuCpC0sd_uKHd;m({9b&*Rt8vc-O^{_iG@+Ry?#L z-pcQ-ZAct^^3%%J1OJ}u$dhlPE{2S$8#jZtU63n`jto^{+xb7G=fceFB98)sDI~;V zagvglo?MSdWqyCsn*CMQ?WE1zNTK9wp*w!|=R!YU(aMyR>m9PLJiyKM&pEw5tUod1 zyLLW%Uv#@6DO~?l%@E5G(FVtZ6#4YZjy2C$Z|uI6|6Ogdh1EZKn;5W6!lWa&ma;1W z`fE2+enIzOPovQ6L*h^4h@1SHy)$y+SFFl{r{f0V7R2WQO$v8lqcPd1@WIGU64Th2 zWp71r3+reh&OD$Tn?Y=7)%Cl!248`Wh?*O z+lfpL7m@7OqqHMOH}3H%>EOn9`>+Wjec3KmxDPLL#6B?Ue#ACA8uF*BlFLG-yk&o; znK`L&K$F{d{EFAZnyf-9ziS@kbLO8wB7I)0!&pw*436gf7v6kY5YJ!tC=;8e{1o3T z!n|-H8Ht3}8ijBmC+OQLRfjwEB6|5o`FtZ9@L;!y`sd9Dl-=2D0VQFZ;$QrJCX-)2 zSyn{pmq0gW$?xh4Faq-VN5zLEFQ3&4qj0;SKWQzh454|EYI$>tDu$FzH@_VCq*SQW z+OqnM{`Vi@aC_!qS4_2M{?qwH}#*TTye&GE+UgYilu87H)W4FJncNHVM zlFgd?rhum#b?ODbArR-Z)9ZgIHpIZK$#--@9$8D4n*qm5uf_da@1>W1 z+#h(4+YU6DjaXHCk@T&Mlbah9La}hi6}ZH3eMxxJ+j+rVPAx3@Cfmaq!Of1k(VuF@ zsg?k3sB`nz@?wfn$2~@cU(eeQR;xFE#ByY{P(iq3!`Gh?BlVSKJ8_go%pX&$5Hi;9 zOB44$l3;CKMYCdoZ0E*yYmlZ^; z*#x#8PZ=c|_(->Wv%fkNE3G_@nr$ezm@LVtcDU2rDW41egtF$#U7}&U2v_ool8`Df zmt%8#dKn&|9%Mz3i;UE=mDrO!mxmiq8T{Ob2N zwY21whm!9VoI$-$QaV)GU7zBL3||xq_VNdmrH3A)Vb5`%mZNV(Xn{&$Zi%Ncj6{D4 zL>-m~vcGb#@>UjCW``C&(ckm~+-KTqbW)B*%|kSiLKlfd<`)(!F~UO+_!{R^ z9wuLxmTCc*yW3(~vGPc6L!HbI+W4*!W~iMWpUyaa>Oz}7R$)jEh5+$w6#7@3%aSeh zcWOKYZ z9b`F>bzZnSZOc4M}h!Uh|?#f+Z=m11f0H)=(lz8%|B&{{mg2@lzcgrj0 zG9SFKr)e;0CIPWgks)jdtp5<$aF{Tffl>fB3){?TBsM-2~)s$EM)(T}ZD_5G4y z)obvw#MI)@JO=(KZ!fZ}gn2)*Iq$Mj4Bw284`4hbu;oKVBOT>vG9vPt>e8--&l*3ca(&j zfeWn=ovc+{R;z2>wo8NKB4M*P*iJ8QEsami5|pP{#fj9V=AI;~bQxpIEABiFuVX$p z*NR>wvsw0DM`v3;tGVm9JGCm4Oe|xY-g%hmO}Y}Q%r7&-moqYWQd^D<6)&7ya~7psVq+C2EFj)< zi_3AyLzV<9N9OUw;u6A#@Y5O#9p@n*R)GoN07k#+T%&Z~@)=e;_c=Zyxo4L&O%N_# zk$dt>*A)!MnZt*q>_IZs1B5`ug`gG1B){_TKsWh`l-42iVjFnoDzO#5 z4teIH3FbG>Uf=L}Nr`&d{^I4Wc&D{j%pG>yzYp)|QfCH_uC($T>}Ok6i=|_@YkEx2 z^x*2QRmRN}4wY+zs+#0Mh798$K(N5qU?R>twr)F5k;nFhPxW1OYXk?u@5fwiQtN8- zuc#T(X-v}z6FhkN5H-&+@Y~}F}Qy%$HRGQYK`FS z0!MwGvbN=tyDV_$PXA{wl9)3oFI#O7|IOphr6UW$y~3wd4aMiO**71Bcz#}hx;KK# zwm^;k{yCoDT2Er^az`A7mc3E)Qmqw2Xq4$$M%8y|W)}EF^h)g>SxPTMn9m2p*}vDTI;Tju8BBeaK!Y!-XspdWMWQ*Z3Zvx~Ss zkHQ=N7NO?qFzqkWuEwS3ZXOk&BN0m9s_-B8iR6Ie;j&m`&`ohApER$|Qu<|~n#ExL zm(v7&wn=(#PF&|#>wkjXQI!U&-IadGx$zMW+VH!oLmqb`_r&L(pE>6=T%bByZbXCO zVO2q&wh$<_S3WU_UZH(*c`OJt*NIt)xUZ1>fju z#ptF^yF0bKToHD4kq{NGJj*T6YfQAso1eOoWN70xOLGFWO)M<6c`F9iGPM`d8$Y}X za}i0H*eM)+bj`B{-Ki5~bA4!awB+2ovYyFo+8+$a8j6Dg+XwVvH zt8!nhd$jA%HM_ax98V}6D388~QSzv!3C;ry?H_0Q>p(vyz)g*K zLh+%iH^Zx0+$FyrM*Nw+d4Zjv*8Kz4WID#<<<+=!5O%8s9Z&piyF8m-EszCGc!c}1 za{JkUvh(E&!{Q>%l0ZC#_U`{`0f6=O4+9epmu(ltmzjR|000}@G_0!6|D^b zXl(!U^X*TWL<&!HN9Z2vXvZWIXk&{LQm+z^nZ^M2+1_bZKeibwfu^^^9als{wx1$k zJV&3Zet$~xIlJ=v=k+m2(1*fk9)w15^y#&)e5b((m#f$4RV+N3r-c#W8lo+#2O$s)TR-SljP5?Tvr4nd?)CzSH@}h6eo6c9?px%wpy}-@+}>XAE(^3Tbky>E*nyKQ`GPp6qm2@2pD0gC z-Sia~SUpmlUi?C!XdKX`8RduNJWMS(v0b4pKJIvBF@2JyaB?WnXrGvN%}CzBaK&Q@ zT4tz?53N@ei6lfu<@j#$4&?0a=C$u01}5KyZxst1$h~(Pmz~*)QrPKk5IY!~ABa!f zBM&L-q~`GFvxSw&AD18TGKGcZDj$6#By(w@J~i~Pd!$qSx-!;$i*3xjV%YiZy)rM| z6aLPB_d6-cEI7a7M@#R{j@cLR+k0mpIGbdO!rW~Fmnj&3um6dVsxYDC2jk_%*0J&n zm}(B#QEUe<%^w0y!KD>$V9=9Q^JQ%9!nf3k_~qBe)dnNZ2cd3g!GqNh)-4tIdfS0Z z^2To)vlXkLQh#~9bp3az06y_WJ)ObEmjhX{1Ns7Te{NXarFR+4X1`m!ZEV3s&wnAy zn$-3dq9RdMq)BZMfW)Q_k$p_2_m;6~ zL#UCn1?mCbv3Or`r}W~pmzAFx=d9kW6fjtNDr=$|O9>kUimfK}(ywWwS~HzBb7|AO zhp_>d;<@MzO)b^}#@|<%Q;RaW@BiVSdhgzP9s7?}$x^708j9L2u~)5W1Eiy4&>F?Z zL{<6_2un3=GN}Fp_9|LNYE-dbaYJqKBUh@WvGd0%Fw1IUebA@DwL#l@&~g@RjX-K& zBzm=bJ06F1%rb~8_XMKGop(v2_Zam+?-OQm<9;})jwqLnNhQ0-yX0vRpN^fz_JdJ& zaT*oN;(Y(LBtMnOmCrS9I^u*B zmhH51`x_6MZJEE;%4K!fvN?u;4v@JizSjmGo!=QJ`ztL*d=Qi1>wBV=b7v*%&LZ0s z8^a3otKL$C!hNRYV1fd94;@*l;8G{2OlzD)Zns$ob(sq0zwtXdPiq`A z3FkoD`o;9-O5429Nhb{5+3YQS;XUortZ0z5JVi@C-ccc|P(}N)&7HCX&->;bX z?9WClW0em-`TBkTbZ(Z83Y_R|GJa-oEfQ#AztN^v_74tE)UobEF;x4;~6TZ@CW+2;R)-y%$MH280#!%x;^ZWoMpp zF+Hpac{G%*paHt8;F=%MDM9+`T?V0oco{bgW1V^!T3|(I)4q2dn|1eQ_Vy^R1tL!q z_IKLU%W^HXi|Zao&v_O8xQ+NEx#Q1mQ8Dlx{Y+eDH>hOX$^1^CQQ5;2RTH#L`vEzU zS#HXrKu%7rM5ktXUwrUw-qE9hvU6EX8mfCu^q2gb$DWqH?bxY#QRkvU30mN(9#==i zJ6%$Fl_N;}`ekis$qNdbxpMp`Hl`Kp*!wQJ>icczjISTi9TZugNIe`te`8p$_1H}U zH%djYWx3$~5KuhbY4S`I1f4O|$+NiG;q9Bdb9?C2jSw(Ll9|5UV#2u+G4WnlOK%X! zxF!aFa8s$o%7BFJue$BGaTEMf;S5jfQb?&sUJ-m5h{i&xYHgL4d7mG@`0e+a{^GB4 zYl5;z+xQMvDpZb9*w1TXhnaSpJ^rZ*dgmbiV9tsW+?TYBxHLoTcDCddcLJK3$BF2K z*H{lp-dquvOa~Z3@Wp|PsQglZCGVT$fjJW7yJRuQ?3y=sq)+cGskR~h-GM&236$_N zkz+O&~1Wle}Gb+0|F`u1x+`(V65K5+eVkM9DI|E5T{o+K&E z{3^={9J#PxVx<+jwy(9A+>OcRo8v9{Gvn{HBFb6siL$p-`pwDeo050Z=!uGqZeOV5 z@*CBT?Bs2)-&Sg_!On)+u^%1Th*kU%a+AO&@hRC4$qt_I8HNv7IvL+1m>?5LY{e$C z5Z?3H`yTc`4oitZYp)qYt%#{sU;OTb@&4*-)#KY!2P>a`^6r&%MT6iGVvq9p3^qFU z@=kH~%@Hk*%1WqHPgz3ak(bZZNIpBCD}!u*_WSlG$5hV{*VplU>?^p7Ued;(I%ppi z6p0|K$nNK|3~m-LE?nVq>K!3hvA*16k~zSOJ^6fjq;iVzC(|>SkguqJe*N3sP1eYK zbjj}qHb3)j#}#Lru@l8}u?bAlmwYzfxk`21pS_!8*@f;+C)gc;(KnsL51y;adCD2c zC-&Rgv1VxO%6fhm-q8^WoOCmQ6T>&w_qdVI7B26VePVTO7eN@+r<$c7=VY9rVvY!F z5*Wn|0Npf%B2=!)+@oc156J|g1moEVikEcnZ~o7(i-E4?y)+zQ-#aBQ{VuWpUWkre zt#b`O*cSCa^Ywx|>g*9$COOIF;FNSDu+=F_uR=LBUAi-iax}(E=2g1UAL$#ckevSc zOS(2<#{6Y2Q3?Ksp#EAW`3lxO@brs#p zvhyJaVN8TtG8KBHhg9~-am5zqt!#XvGsQ(4W C+_ -### Configure BGP on an Existing MCC + ## Migrating your MCC to Public Preview -Please note, if you reboot your server, the version that you are currently on will no longer function, after which you will be required to migrate to the new version. +> [!NOTE] +> Please note, if you reboot your server, the version that you are currently on will no longer function, after which you will be required to migrate to the new version. We recommend migrating now to the new version to access these benefits and ensure no downtime. To migrate, use the following steps: 1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page -1. Follow the instructions under the "Connected Cache Migrate Scripts" section +1. Follow the instructions under the "Connected Cache Migrate Scripts". section within Azure portal. 1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes Here is a screenshot from the Azure portal to help: -:::image type="content" source="images/mcc-isp-migration.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the private preview to the public preview."::: +:::image type="content" source="images/mcc-isp-migrate.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the private preview to the public preview."::: ## Uninstalling MCC From 699cd3f92e19dba7a2ace25cec046e22ce2db760 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 13 Mar 2023 20:35:18 -0400 Subject: [PATCH 049/101] Clarify destructive PIN reset Clarify destructive PIN reset --- .../personal-data-encryption/overview-pde.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index 1d9f7d5bd5..a88c9d276a 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -88,7 +88,7 @@ ms.date: 03/13/2023 - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) - Destructive PIN resets will cause keys used by PDE to protect content to be lost. The destructive PIN reset will make any content protected with PDE no longer accessible after a destructive PIN reset. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. + Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) From 4b08a96f86224942b499a5bb49847a5e53b6b143 Mon Sep 17 00:00:00 2001 From: Docs Allowlist Management Date: Tue, 14 Mar 2023 09:05:23 +0000 Subject: [PATCH 050/101] Add uhfHeaderId = MSDocsHeader-MSEdge to docfx.json --- browsers/edge/docfx.json | 1 + 1 file changed, 1 insertion(+) diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 361003c659..f021f6aafb 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -27,6 +27,7 @@ } ], "globalMetadata": { + "uhfHeaderId": "MSDocsHeader-MSEdge", "recommendations": true, "ms.collection": [ "tier3" From b4f32945efd928979e5b4ae6f0d0d8af45a6a322 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 14 Mar 2023 07:57:02 -0700 Subject: [PATCH 051/101] tweaks --- windows/deployment/do/mcc-isp.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 7896e28198..103077d2f5 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -563,13 +563,11 @@ We recommend migrating now to the new version to access these benefits and ensur To migrate, use the following steps: -1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page -1. Follow the instructions under the "Connected Cache Migrate Scripts". section within Azure portal. -1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes +1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page. +1. Follow the instructions under the **Connected Cache Migrate Scripts** section within Azure portal. + :::image type="content" source="images/mcc-isp-migrate.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the private preview to the public preview." lightbox="images/mcc-isp-migrate.png"::: +1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes. -Here is a screenshot from the Azure portal to help: - -:::image type="content" source="images/mcc-isp-migrate.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the private preview to the public preview."::: ## Uninstalling MCC From e6000ac8870e21387075ab55008a46485dd2c21a Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 14 Mar 2023 09:26:47 -0700 Subject: [PATCH 052/101] Updated with Autopatch Groups MC post number --- .../whats-new/windows-autopatch-whats-new-2023.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index abee39860b..329d3a0db4 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 03/13/2023 +ms.date: 03/14/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -31,6 +31,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Message center post number | Description | | ----- | ----- | +| [MC527439](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Prepare for Windows Autopatch Groups | | [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public preview - Customize Windows Update settings | ## February 2023 From 52660ee70621fc025afb293fd5af7f18c59be216 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Mar 2023 12:35:00 -0400 Subject: [PATCH 053/101] Correct scree to screen Corrected scree to screen --- .../bitlocker/bitlocker-group-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 8b776366c3..a70f0199da 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -252,7 +252,7 @@ This policy setting allows blocking of direct memory access (DMA) for all hot pl |**Drive type**|Operating system drives| |**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| -|**When enabled**|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.| +|**When enabled**|Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again.| |**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| #### Reference: Disable new DMA devices when this computer is locked From dfbb9dc4d7d766b7627c72e8e8422b00ea82a80e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 14 Mar 2023 14:58:25 -0400 Subject: [PATCH 054/101] Remove MSfB REST API reference --- .openpublishing.redirection.json | 81 ++++- windows/client-management/assign-seats.md | 47 --- ...bulk-assign-and-reclaim-seats-from-user.md | 48 --- ...a-structures-windows-store-for-business.md | 312 ------------------ windows/client-management/get-inventory.md | 64 ---- .../get-localized-product-details.md | 52 --- .../client-management/get-offline-license.md | 54 --- .../client-management/get-product-details.md | 52 --- .../client-management/get-product-package.md | 54 --- .../client-management/get-product-packages.md | 53 --- windows/client-management/get-seat.md | 47 --- .../get-seats-assigned-to-a-user.md | 55 --- windows/client-management/get-seats.md | 50 --- ...ent-tool-for-windows-store-for-business.md | 110 ------ .../reclaim-seat-from-user.md | 47 --- ...pi-reference-windows-store-for-business.md | 71 ---- 16 files changed, 78 insertions(+), 1119 deletions(-) delete mode 100644 windows/client-management/assign-seats.md delete mode 100644 windows/client-management/bulk-assign-and-reclaim-seats-from-user.md delete mode 100644 windows/client-management/data-structures-windows-store-for-business.md delete mode 100644 windows/client-management/get-inventory.md delete mode 100644 windows/client-management/get-localized-product-details.md delete mode 100644 windows/client-management/get-offline-license.md delete mode 100644 windows/client-management/get-product-details.md delete mode 100644 windows/client-management/get-product-package.md delete mode 100644 windows/client-management/get-product-packages.md delete mode 100644 windows/client-management/get-seat.md delete mode 100644 windows/client-management/get-seats-assigned-to-a-user.md delete mode 100644 windows/client-management/get-seats.md delete mode 100644 windows/client-management/management-tool-for-windows-store-for-business.md delete mode 100644 windows/client-management/reclaim-seat-from-user.md delete mode 100644 windows/client-management/rest-api-reference-windows-store-for-business.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a466519b7f..ee5d65bcc5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19944,8 +19944,8 @@ "source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md", "redirect_url": "/windows/client-management/wmi-providers-supported-in-windows", "redirect_document_id": false - }, - { + }, + { "source_path": "windows/deployment/do/mcc-enterprise.md", "redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache", "redirect_document_id": false @@ -20055,6 +20055,81 @@ "redirect_url": "/troubleshoot/windows-client/welcome-windows-client", "redirect_document_id": false }, + { + "source_path": "windows/client-management/management-tool-for-windows-store-for-business.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/rest-api-reference-windows-store-for-business.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/data-structures-windows-store-for-business.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-inventory.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-product-details.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-localized-product-details.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-offline-license.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-product-packages.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-product-package.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-seats.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-seat.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/assign-seats.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/reclaim-seat-from-user.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/bulk-assign-and-reclaim-seats-from-user.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/get-seats-assigned-to-a-user.md", + "redirect_url": "https://aka.ms/windows/msfb_evolution", + "redirect_document_id": false + }, { "source_path": "education/windows/set-up-school-pcs-shared-pc-mode.md", "redirect_url": "/windows/configuration/set-up-shared-or-guest-pc", @@ -20656,4 +20731,4 @@ "redirect_document_id": true } ] -} +} \ No newline at end of file diff --git a/windows/client-management/assign-seats.md b/windows/client-management/assign-seats.md deleted file mode 100644 index 929b1d62e2..0000000000 --- a/windows/client-management/assign-seats.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Assign seat -description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Assign seat - -The **Assign seat** operation assigns seat for a specified user in the Microsoft Store for Business. - -## Request - -**POST:** - -```http -https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|username|string|Requires UserPrincipalName (UPN). User name of the target user account.| - -## Response - -### Response body - -The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). - -|Error code|Description|Retry|Data field|Details| -|--- |--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name
        Reason: Invalid parameter
        Details: String|Invalid can include productId, skuId or userName| -|404|Not found||Item type: Inventory, User, Seat

        Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName|ItemType: Inventory User Seat

        Values: ProductId/SkuId UserName ProductId/SkuId/UserName| -|409|Conflict||Reason: Not online|| - diff --git a/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md deleted file mode 100644 index dde32f1d1f..0000000000 --- a/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Bulk assign and reclaim seats from users -description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Bulk assign and reclaim seats from users - -The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Microsoft Store for Business. - -## Request - -**POST**: - -```http -https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|username|string|Requires UserPrincipalName (UPN). User name of the target user account.| -|seatAction|[SeatAction](data-structures-windows-store-for-business.md#seataction) || - - -## Response - -### Response body - -The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset). - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|404|Not found||Item type: Inventory
        Values: ProductId/SkuId| - - diff --git a/windows/client-management/data-structures-windows-store-for-business.md b/windows/client-management/data-structures-windows-store-for-business.md deleted file mode 100644 index b0f8d8a0f9..0000000000 --- a/windows/client-management/data-structures-windows-store-for-business.md +++ /dev/null @@ -1,312 +0,0 @@ ---- -title: Data structures for Microsoft Store for Business -description: Learn about the various data structures for Microsoft Store for Business. -MS-HAID: - - 'p\_phdevicemgmt.business\_store\_data\_structures' - - 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Data structures for Microsoft Store for Business - -Here's the list of data structures used in the Microsoft Store for Business REST APIs: - -- [AlternateIdentifier](#alternateidentifier) -- [BulkSeatOperationResultSet](#bulkseatoperationresultset) -- [FailedSeatRequest](#failedseatrequest) -- [FrameworkPackageDetails](#frameworkpackagedetails) -- [InventoryDistributionPolicy](#inventorydistributionpolicy) -- [InventoryEntryDetails](#inventoryentrydetails) -- [InventoryResultSet](#inventoryresultset) -- [InventoryStatus](#inventorystatus) -- [LicenseType](#licensetype) -- [LocalizedProductDetail](#localizedproductdetail) -- [OfflineLicense](#offlinelicense) -- [PackageContentInfo](#packagecontentinfo) -- [PackageLocation](#packagelocation) -- [ProductArchitectures](#productarchitectures) -- [ProductDetails](#productdetails) -- [ProductImage](#productimage) -- [ProductKey](#productkey) -- [ProductPackageDetails](#productpackagedetails) -- [ProductPackageFormat](#productpackageformat) -- [ProductPackageSet](#productpackageset) -- [ProductPlatform](#productplatform) -- [PublisherDetails](#publisherdetails) -- [SeatAction](#seataction) -- [SeatDetails](#seatdetails) -- [SeatDetailsResultSet](#seatdetailsresultset) -- [SeatState](#seatstate) -- [SupportedProductPlatform](#supportedproductplatform) -- [VersionInfo](#versioninfo) - -## AlternateIdentifier - - -Specifies the properties of the alternate identifier. - -|Name|Type|Description| -|--- |--- |--- | -|Type|String|LegacyWindowStoreProductId, LegacyWindowsPhoneProductId, RedirectToThresholdProductId| -|Value|String|| - -## BulkSeatOperationResultSet - -|Name|Type| -|--- |--- | -|seatDetails|Collection of [SeatDetails](#seatdetails)| -|failedSeatOperations|Collection of [FailedSeatRequest](#failedseatrequest)| - -## FailedSeatRequest - -|Name|Type| -|--- |--- | -|failureReason|String| -|productKey|[ProductKey](#productkey)| -|userName|String| - -## FrameworkPackageDetails - -|Name|Type|Description| -|--- |--- |--- | -|packageId|String|| -|contentId|String|Identifies a specific application.| -|Location|[PackageLocation](#packagelocation)|| -|packageFullName|String|| -|packageIdentityName|String|| -|Architectures|Collection of [ProductArchitectures](#productarchitectures)|| -|packageFormat|[ProductPackageFormat](#productpackageformat)|| -|Platforms|Collection of [ProductPlatform](#productplatform)|| -|fileSize|integer-64|Size of the file.| -|packageRank|integer-32|Optional| - -## InventoryDistributionPolicy - -|Name|Description| -|--- |--- | -|Open|Open distribution policy - licenses/seats can be assigned/consumed without limit| -|Restricted|Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count| - -## InventoryEntryDetails - -|Name|Type|Description| -|--- |--- |--- | -|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.| -|seatCapacity|integer-64|Total number of seats that have been purchased for an application.| -|availableSeats|integer-64|Number of available seats remaining for an application.| -|lastModified|dateTime|Specifies the last modified date for an application. Modifications for an application include updated product details, updates to an application, and updates to the quantity of an application.| -|licenseType|[LicenseType](#licensetype)|Indicates whether the set of seats for a given application supports online or offline licensing.| -|distributionPolicy|[InventoryDistributionPolicy](#inventorydistributionpolicy)|| -|status|[InventoryStatus](#inventorystatus)|| - -## InventoryResultSet - - -|Name|Type|Description| -|--- |--- |--- | -|continuationToken|String|Only available if there is a next page.| -|inventoryEntries|Collection of [InventoryEntryDetails](#inventoryentrydetails)|| - -## InventoryStatus - -|Name|Description| -|--- |--- | -|Active|Entry is available in the organization’s inventory.| -|Removed|Entry has been removed from the organization’s inventory.| - -## LicenseType - -|Name|Description| -|--- |--- | -|Online|Online license application.| -|Offline|Offline license application.| - -## LocalizedProductDetail - - -Specifies the properties of the localized product. - -|Name|Type|Description| -|--- |--- |--- | -|Language|String|Language or fallback language if the specified language is not available.| -|displayName|String|Display name of the application.| -|Description|String|App description provided by developer can be up to 10,000 characters.| -|Images|Collection of [ProductImage](#productimage)|Artwork and icon associated with the application.| -|Publisher|[PublisherDetails](#publisherdetails)|Publisher of the application.| - -## OfflineLicense - - -|Name|Type|Description| -|--- |--- |--- | -|productKey|[ProductKey](#productkey)|Identifies a set of seats associated with an application.| -|licenseBlob|String|Base-64 encoded offline license that can be installed via a CSP.| -|licenseInstanceId|String|Version of the license.| -|requestorId|String|Organization requesting the license.| -|contentId|String|Identifies the specific license required by an application.| - -## PackageContentInfo - - -|Name|Type| -|--- |--- | -|productPlatforms|Collection of ProductPlatform| -|packageFormat|String| - -## PackageLocation - - -|Name|Type|Description| -|--- |--- |--- | -|Url|URI|CDN location of the packages. URL expiration is based on the estimated time to download the package.| - - -## ProductArchitectures - -|Name| -|--- | -|Neutral| -|Arm| -|x86| -|x64| - -## ProductDetails - -|Name|Type|Description| -|--- |--- |--- | -|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.| -|productType|String|Type of product.| -|supportedLanguages|Collection of string|The set of localized languages for an application.| -|publisherId|String|Publisher identifier.| -|Category|String|Application category.| -|alternateIds|Collection of [AlternateIdentifier](#alternateidentifier)|The identifiers that can be used to instantiate the installation of on online application.| -|packageFamilyName|String|| -|supportedPlatforms|Collection of [ProductPlatform](#productplatform)|| - -## ProductImage - -Specifies the properties of the product image. - -|Name|Type|Description| -|--- |--- |--- | -|location|URI|Location of the download image.| -|purpose|string|Tag for the image, for example "screenshot" or "logo".| -|height|string|Height of the image in pixels.| -|width|string|Width of the image in pixels.| -|caption|string|Unlimited length.| -|backgroundColor|string|Format "#RRGGBB"| -|foregroundColor|string|Format "#RRGGBB"| -|fileSize|integer-64|Size of the file.| - -## ProductKey - -Specifies the properties of the product key. - -|Name|Type|Description| -|--- |--- |--- | -|productId|String|Product identifier for an application that is used by the Store for Business.| -|skuId|String|Product identifier that specifies a specific SKU of an application.| - -## ProductPackageDetails - -|Name|Type|Description| -|--- |--- |--- | -|frameworkDependencyPackages|Collection of [FrameworkPackageDetails](#frameworkpackagedetails)|| -|packageId|String|| -|contentId|String|Identifies a specific application.| -|Location|[PackageLocation](#packagelocation)|| -|packageFullName|String|Example, Microsoft.BingTranslator_1.1.10917.2059_x86__8wekyb3d8bbwe| -|packageIdentityName|String|Example, Microsoft.BingTranslator| -|Architectures|Collection of [ProductArchitectures](#productarchitectures)|Values {x86, x64, arm, neutral}| -|packageFormat|[ProductPackageFormat](#productpackageformat)|Extension of the package file.| -|Platforms|Collection of [ProductPlatform](#productplatform)|| -|fileSize|integer-64|Size of the file.| -|packageRank|integer-32|Optional| - -## ProductPackageFormat - -|Name| -|--- | -|Appx| -|appxBundle| -|Xap| - -## ProductPackageSet - -|Name|Type|Description| -|--- |--- |--- | -|packageSetId|String|An identifier for the particular combination of application packages.| -|productPackages|Collection of [ProductPackageDetails](#productpackagedetails)|A collection of application packages.| - -## ProductPlatform - -|Name|Type| -|--- |--- | -|platformName|String| -|minVersion|[VersionInfo](#versioninfo)| -|maxTestedVersion|[VersionInfo](#versioninfo)| - -## PublisherDetails - -Specifies the properties of the publisher details. - -|Name|Type|Description| -|--- |--- |--- | -|publisherName|String|Name of the publisher.| -|publisherWebsite|String|Website of the publisher.| - -## SeatAction - - -|Name| -|--- | -|Assign| -|Reclaim| - -## SeatDetails - -|Name|Type|Description| -|--- |--- |--- | -|assignedTo|String|Format = UPN (user@domain)| -|dateAssigned|Datetime|| -|State|[SeatState](#seatstate)|| -|productKey|[ProductKey](#productkey)|| - -## SeatDetailsResultSet - -|Name|Type| -|--- |--- | -|Seats|Collection of [SeatDetails](#seatdetails)| -|continuationToken|String| - -## SeatState - -|Name| -|--- | -|Active| -|Revoked| - -## SupportedProductPlatform - -|Name|Type| -|--- |--- | -|platformName|String| -|minVersion|[VersionInfo](#versioninfo)| -|maxTestedVersion|[VersionInfo](#versioninfo)| -|Architectures|Collection of [ProductArchitectures](#productarchitectures)| - -## VersionInfo - -|Name|Type| -|--- |--- | -|Major|integer-32| -|Minor|integer-32| -|Build|integer-32| -|Revision|integer-32| diff --git a/windows/client-management/get-inventory.md b/windows/client-management/get-inventory.md deleted file mode 100644 index 96913de900..0000000000 --- a/windows/client-management/get-inventory.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Get Inventory -description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. -MS-HAID: - - 'p\_phdevicemgmt.get\_seatblock' - - 'p\_phDeviceMgmt.get\_inventory' -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get Inventory - -The **Get Inventory** operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&modifiedSince={ModifiedSince}&licenseTypes={LicenseType}&maxResults={MaxResults} -``` -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Default value|Description| -|--- |--- |--- |--- | -|continuationToken|string|Null|| -|modifiedSince|datetime|Null|Optional. Used to determine changes since a specific date.| -|licenseTypes|collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)|{online,offline}|Optional. A collection of license types| -|maxResults|integer-32|25|Optional. Specifies the maximum number of applications returned in a single query.| - -Here are some examples. - -|Query type|Example query| -|--- |--- | -|Online and offline|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25)| -|Online only|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25)| -|Offline only|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25)| -|Both license types and a time filter|[https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25)| - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name

        Invalid modified date, license, or continuationToken

        Details: String| - -## Response - -### Response body - -The response contains [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset). - - - - - - - - diff --git a/windows/client-management/get-localized-product-details.md b/windows/client-management/get-localized-product-details.md deleted file mode 100644 index 48fe49a501..0000000000 --- a/windows/client-management/get-localized-product-details.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Get localized product details -description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/07/2020 ---- - -# Get localized product details - -The **Get localized product details** operation retrieves the localization information of a product from the Microsoft Store for Business. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Products/{ProductId}/{SkuId}/LocalizedDetails/{language} -``` - - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|language|string|Required. Language in ISO format, such as en-us, en-ca.| - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name
        Reason: Missing parameter or invalid parameter
        Details: String| -|404|Not found||Item type: productId, skuId, language| - -## Response - -The response contains [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail). - -  - - - - - - diff --git a/windows/client-management/get-offline-license.md b/windows/client-management/get-offline-license.md deleted file mode 100644 index 160424bf6b..0000000000 --- a/windows/client-management/get-offline-license.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Get offline license -description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get offline license - -The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business. - -## Request - -**POST:** - -```http -https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/OfflineLicense/{contentId} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Identifies a specific product that has been acquired.| -|skuId|string|Required. The SKU identifier.| -|contentId|string|Required. Identifies a specific application.| - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name
        Reason: Missing parameter or invalid parameter
        Details: String| -|404|Not found||| -|409|Conflict||Reason: Not owned, Not offline| - -## Response - -### Response body - -The response contains [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense). - -  - - - - - - diff --git a/windows/client-management/get-product-details.md b/windows/client-management/get-product-details.md deleted file mode 100644 index 54d824ba07..0000000000 --- a/windows/client-management/get-product-details.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Get product details -description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get product details - -The **Get product details** operation retrieves the product information from the Microsoft Store for Business for a specific application. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name
        Reason: Missing parameter or invalid parameter
        Details: String| -|404|Not found||| - -## Response - -### Response body - -The response contains [ProductDetails](data-structures-windows-store-for-business.md#productdetails). - -  - - - - - - diff --git a/windows/client-management/get-product-package.md b/windows/client-management/get-product-package.md deleted file mode 100644 index 9dc16fb5c3..0000000000 --- a/windows/client-management/get-product-package.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Get product package -description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get product package - -The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages/{packageId} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|packageId|string|Required.| - -|Error code|Description|Retry|Data field|Details| -|--- |--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name

        Reason: Invalid parameter

        Details: String|Can be productId, skuId, or packageId| -|404|Not found|||Item type: Product/SKU| -|409|Conflict||Reason: Not owned|| - -## Response - -### Response body - -The response body contains [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails). - -  - - - - - - diff --git a/windows/client-management/get-product-packages.md b/windows/client-management/get-product-packages.md deleted file mode 100644 index cf9e34fcda..0000000000 --- a/windows/client-management/get-product-packages.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Get product packages -description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get product packages - -The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages -``` - -  -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name

        Reason: Missing parameter or invalid parameter

        Details: String| -|404|Not found||| -|409|Conflict||Reason: Not owned| - -## Response - -### Response body - -The response body contains [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset). - -  - - - - - diff --git a/windows/client-management/get-seat.md b/windows/client-management/get-seat.md deleted file mode 100644 index 2c46b03f7a..0000000000 --- a/windows/client-management/get-seat.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Get seat -description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get seat - -The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|username|string|Requires UserPrincipalName (UPN). User name of the target user account.| - -  -## Response - -### Response body - -The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). - -|Error code|Description|Retry|Data field|Details| -|--- |--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name

        Reason: Missing parameter or invalid parameter

        Details: String|Invalid can include productId, skuId or username| -|404|Not found|||ItemType: Inventory, User, Seat

        Values: ProductId/SkuId, UserName, ProductId/SkuId/Username| -|409|Conflict||Reason: Not online|| diff --git a/windows/client-management/get-seats-assigned-to-a-user.md b/windows/client-management/get-seats-assigned-to-a-user.md deleted file mode 100644 index b029f4e2da..0000000000 --- a/windows/client-management/get-seats-assigned-to-a-user.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Get seats assigned to a user -description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get seats assigned to a user - -The **Get seats assigned to a user** operation retrieves information about assigned seats in the Microsoft Store for Business. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Users/{username}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|useName|string|Requires UserPrincipalName (UPN). User name of the target user account.| -|continuationToken|string|Optional.| -|maxResults|inteter-32|Optional. Default = 25, Maximum = 100| - -  -## Response - -### Response body - -The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name

        Reason: Invalid parameter

        Details: String| -|404|Not found||Item type: User

        Values: UserName| - -  - -  - - - - - diff --git a/windows/client-management/get-seats.md b/windows/client-management/get-seats.md deleted file mode 100644 index 50e1920ffc..0000000000 --- a/windows/client-management/get-seats.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Get seats -description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# Get seats - -The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business. - -## Request - -**GET:** - -```http -https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults} -``` - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|continuationToken|string|Optional.| -|maxResults|int32|Optional. Default = 25, Maximum = 100| - -## Response - -### Response body - -The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). - -|Error code|Description|Retry|Data field| -|--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name
        Reason: Missing parameter or invalid parameter
        Details: String| -|404|Not found||| -|409|Conflict||Reason: Not online| - - - diff --git a/windows/client-management/management-tool-for-windows-store-for-business.md b/windows/client-management/management-tool-for-windows-store-for-business.md deleted file mode 100644 index b970a8175f..0000000000 --- a/windows/client-management/management-tool-for-windows-store-for-business.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Management tool for the Microsoft Store for Business -description: The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. -MS-HAID: - - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' - - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/27/2017 ---- - -# Management tool for the Microsoft Store for Business - -The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. - -Here's the list of the available capabilities: - -- Support for enterprise identities – Enables end users within an organization to use the identity that has been provided to them within the organization. This feature enables an organization to keep control of the application and eliminates the need for an organization to maintain another set of identities for their users. -- Bulk acquisition support of applications – Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually. -- License reclaim and reuse – Enables an enterprise to keep value in their purchases by allowing the ability to unassign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization, they keep ownership of the application. -- Flexible distribution models for Microsoft Store apps – Allows enterprises to integrate with an organization's infrastructure. It also allows the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services. -- Custom Line of Business app support – Enables management and distribution of enterprise applications through the Store for Business. -- Support for Windows client devices - The Store for Business supports client devices. - -For more information, see [Microsoft Store for Business and Education](/microsoft-store/). - -## Management services - -The Store for Business provides services that enable a management tool to synchronize new and updated applications for an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provide several features, including providing application data, can assign and reclaim applications, and can download offline-licensed application packages. - -- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This metadata includes: - - The application identifier that's used to deploy online license applications - - Artwork for an application that's used to create a company portal - - Localized descriptions for applications - -- **Licensing models**: - - - **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity, and rely on the store services on the device to get an application from the store. It's similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services. - - **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed applications don't require connectivity to the store. It can be updated directly from the store if the device has connectivity, and the app update policies allow updates to be distributed using the store. - -### Offline-licensed application distribution - -The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. - -![business store offline app distribution.](images/businessstoreportalservices2.png) - -### Online-licensed application distribution - -The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application. - -![business store online app distribution.](images/businessstoreportalservices3.png) - -## Integrate with Azure Active Directory - -The Store for Business services use Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business. - -The following articles have more information about Azure AD, and how to register your application within Azure AD: - -- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app) -- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization) - -For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026). - -## Configure your Azure AD application - -See [Quickstart: Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app. - -## Azure AD Authentication for MTS - -MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The authorization token is for the Azure AD application representing the MDM component (service/daemon/on-prem instance) within the context of the directory/tenant it will be working on behalf-of. - -Here are the details for requesting an authorization token: - -- Login Authority = `https://login.windows.net/` -- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is an application identifier for which the token is being generated. It's not a URL for a service endpoint or a web page. -- ClientId = your Azure AD application client ID -- ClientSecret = your Azure AD application client secret/key - -## Using the management tool - -After you register your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns: - -- First the ability to get new or updated applications. -- Second the ability to assign or reclaim applications. - -The diagram below shows the call patterns for acquiring a new or updated application. - -![business store portal service flow diagram.](images/businessstoreportalservicesflow.png) - -**Here is the list of available operations**: - -- [Get Inventory](get-inventory.md) -- [Get product details](get-product-details.md) -- [Get localized product details](get-localized-product-details.md) -- [Get offline license](get-offline-license.md) -- [Get product packages](get-product-packages.md) -- [Get product package](get-product-package.md) -- [Get seats](get-seats.md) -- [Get seat](get-seat.md) -- [Assign seats](assign-seats.md) -- [Reclaim seat from user](reclaim-seat-from-user.md) -- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md) -- [Get seats assigned to a user](get-seats-assigned-to-a-user.md) - diff --git a/windows/client-management/reclaim-seat-from-user.md b/windows/client-management/reclaim-seat-from-user.md deleted file mode 100644 index f6508be544..0000000000 --- a/windows/client-management/reclaim-seat-from-user.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Reclaim seat from user -description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 05/05/2020 ---- - -# Reclaim seat from user - -The **Reclaim seat from user** operation returns reclaimed seats for a user in the Microsoft Store for Business. - -## Request - -|Method|Request URI| -|--- |--- | -|DELETE|`https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}`| - - -### URI parameters - -The following parameters may be specified in the request URI. - -|Parameter|Type|Description| -|--- |--- |--- | -|productId|string|Required. Product identifier for an application that is used by the Store for Business.| -|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| -|username|string|Requires UserPrincipalName (UPN). User name of the target user account.| - -## Response - -### Response body - -The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). - -|Error code|Description|Retry|Data field|Details| -|--- |--- |--- |--- |--- | -|400|Invalid parameters|No|Parameter name
        Reason: Invalid parameter
        Details: String|Invalid can include productId, skuId or userName| -|404|Not found||Item type: Inventory, User, Seat
        Values: ProductId/SkuId, UserName,
        ProductId/SkuId/UserName|ItemType: Inventory, User, Seat
        Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName| -|409|Conflict||Reason: Not online|| - -  diff --git a/windows/client-management/rest-api-reference-windows-store-for-business.md b/windows/client-management/rest-api-reference-windows-store-for-business.md deleted file mode 100644 index 526f7f8c83..0000000000 --- a/windows/client-management/rest-api-reference-windows-store-for-business.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: REST API reference for Microsoft Store for Business -description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures. -MS-HAID: - - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' - - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2017 ---- - -# REST API reference for Microsoft Store for Business - -Here's the list of available operations: - -- [Get Inventory](get-inventory.md) -- [Get product details](get-product-details.md) -- [Get localized product details](get-localized-product-details.md) -- [Get offline license](get-offline-license.md) -- [Get product packages](get-product-packages.md) -- [Get product package](get-product-package.md) -- [Get seats](get-seats.md) -- [Get seat](get-seat.md) -- [Assign seats](assign-seats.md) -- [Reclaim seat from user](reclaim-seat-from-user.md) -- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md) -- [Get seats assigned to a user](get-seats-assigned-to-a-user.md) - -Here's the list of data structures: - -- [AlternateIdentifier](data-structures-windows-store-for-business.md#alternateidentifier) -- [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset) -- [FailedSeatRequest](data-structures-windows-store-for-business.md#failedseatrequest) -- [FrameworkPackageDetails](data-structures-windows-store-for-business.md#frameworkpackagedetails) -- [InventoryDistributionPolicy](data-structures-windows-store-for-business.md#inventorydistributionpolicy) -- [InventoryEntryDetails](data-structures-windows-store-for-business.md#inventoryentrydetails) -- [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset) -- [InventoryStatus](data-structures-windows-store-for-business.md#inventorystatus) -- [LicenseType](data-structures-windows-store-for-business.md#licensetype) -- [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail) -- [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense) -- [PackageLocation](data-structures-windows-store-for-business.md#packagelocation) -- [ProductArchitectures](data-structures-windows-store-for-business.md#productarchitectures) -- [ProductDetails](data-structures-windows-store-for-business.md#productdetails) -- [ProductImage](data-structures-windows-store-for-business.md#productimage) -- [ProductKey](data-structures-windows-store-for-business.md#productkey) -- [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails) -- [ProductPackageFormat](data-structures-windows-store-for-business.md#productpackageformat) -- [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset) -- [ProductPlatform](data-structures-windows-store-for-business.md#productplatform) -- [PublisherDetails](data-structures-windows-store-for-business.md#publisherdetails) -- [SeatAction](data-structures-windows-store-for-business.md#seataction) -- [SeatDetails](data-structures-windows-store-for-business.md#seatdetails) -- [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset) -- [SeatState](data-structures-windows-store-for-business.md#seatstate) -- [SupportedProductPlatform](data-structures-windows-store-for-business.md#supportedproductplatform) -- [VersionInfo](data-structures-windows-store-for-business.md#versioninfo) - - -  - - - - - - From 3859eff552fc67e3511b4413143fb4f513914077 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 14 Mar 2023 15:26:16 -0400 Subject: [PATCH 055/101] Update TOC --- windows/client-management/toc.yml | 36 ++----------------------------- 1 file changed, 2 insertions(+), 34 deletions(-) diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index bd831a11be..ab8ddd9fcc 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -44,40 +44,8 @@ items: items: - name: Enterprise app management href: enterprise-app-management.md - items: - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md - items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md - name: Mobile device management (MDM) for device updates href: device-update-management.md - name: Secured-Core PC Configuration Lock From 0b74c27ad4c5dc2f62a4bbf0845e0ab6b181292c Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 14 Mar 2023 15:49:18 -0400 Subject: [PATCH 056/101] Remove change-history-for-mdm-documentation.md --- .openpublishing.redirection.json | 7 +- .../change-history-for-mdm-documentation.md | 317 ------------------ ...ew-in-windows-mdm-enrollment-management.md | 64 ++-- windows/client-management/toc.yml | 2 - 4 files changed, 33 insertions(+), 357 deletions(-) delete mode 100644 windows/client-management/change-history-for-mdm-documentation.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ee5d65bcc5..2a10d4ad71 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19697,7 +19697,12 @@ }, { "source_path": "windows/client-management/mdm/change-history-for-mdm-documentation.md", - "redirect_url": "/windows/client-management/change-history-for-mdm-documentation", + "redirect_url": "/windows/client-management/new-in-windows-mdm-enrollment-management", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/change-history-for-mdm-documentation.md", + "redirect_url": "/windows/client-management/new-in-windows-mdm-enrollment-management", "redirect_document_id": false }, { diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md deleted file mode 100644 index 36449cf15b..0000000000 --- a/windows/client-management/change-history-for-mdm-documentation.md +++ /dev/null @@ -1,317 +0,0 @@ ---- -title: Change history for MDM documentation -description: This article lists new and updated articles for Mobile Device Management. -author: vinaypamnani-msft -ms.author: vinpa -ms.reviewer: -manager: aaroncz -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -ms.localizationpriority: medium -ms.date: 11/06/2020 ---- - -# Change history for Mobile Device Management documentation - -As of November 2020 This page will no longer be updated. This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those articles that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues aren't listed. - -## November 2020 - -|New or updated article | Description| -|--- | ---| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:
        - [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#browseralttabblowout) | -| [SurfaceHub CSP](mdm/surfacehub-csp.md) | Added the following new node:
        -Properties/SleepMode | - -## October 2020 - -|New or updated article | Description| -|--- | ---| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies
        - [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#disablecloudoptimizedcontent)
        - [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#configure)
        - [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays)
        - [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#brightnessbuttondisabled)
        - [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#fallbackdiagnostics)
        - [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#microphonedisabled)
        - [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#volumebuttondisabled)
        - [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#disablewufbsafeguards)
        - [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#allowaudioinput)
        - [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#allowclipboardredirection)
        - [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#allownetworking)
        - [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#allowprinterredirection)
        - [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#allowvgpu)
        - [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#allowvideoinput) | - -## September 2020 - -|New or updated article | Description| -|--- | ---| -|[NetworkQoSPolicy CSP](mdm/networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.| -|[Policy CSP - LocalPoliciesSecurityOptions](mdm/policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:
        - RecoveryConsole_AllowAutomaticAdministrativeLogon
        - DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
        - DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
        - DomainMember_DisableMachineAccountPasswordChanges
        - SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
        | - -## August 2020 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - System](mdm/policy-csp-system.md)|Removed the following policy settings:
        - System/AllowDesktopAnalyticsProcessing
        - System/AllowMicrosoftManagedDesktopProcessing
        - System/AllowUpdateComplianceProcessing
        - System/AllowWUfBCloudProcessing
        | - -## July 2020 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings:
        - System/AllowDesktopAnalyticsProcessing
        - System/AllowMicrosoftManagedDesktopProcessing
        - System/AllowUpdateComplianceProcessing
        - System/AllowWUfBCloudProcessing


        Updated the following policy setting:
        - System/AllowCommercialDataPipeline
        | - -## June 2020 - -|New or updated article | Description| -|--- | ---| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.| -|[Policy CSP - NetworkIsolation](mdm/policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
        EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.| - -## May 2020 - -|New or updated article | Description| -|--- | ---| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| -|[Policy CSP - RestrictedGroups](mdm/policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. - -## February 2020 - -|New or updated article | Description| -|--- | ---| -|[CertificateStore CSP](mdm/certificatestore-csp.md)
        [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md)|Added details about SubjectName value.| - -## January 2020 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - Defender](mdm/policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.| - -## November 2019 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - DeliveryOptimization](mdm/policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.| -|[DiagnosticLog CSP](mdm/diagnosticlog-csp.md)|Added substantial updates to this CSP doc.| - -## October 2019 - -|New or updated article | Description| -|--- | ---| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added the following new nodes:
        ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.| -|[Defender CSP](mdm/defender-csp.md)|Added the following new nodes:
        Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.| - -## September 2019 - -|New or updated article | Description| -|--- | ---| -|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added the following new node:
        IsStub.| -|[Policy CSP - Defender](mdm/policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.| -|[Policy CSP - DeviceInstallation](mdm/policy-csp-deviceinstallation.md)|Added the following new policies:
        DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| - -## August 2019 - -|New or updated article | Description| -|--- | ---| -|[DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
        [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
        Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.| -|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include more reference links and the following two topics:
        Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| - -## July 2019 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following list:
        Policies supported by HoloLens 2| -|[ApplicationControl CSP](mdm/applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| -|[PassportForWork CSP](mdm/passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
        SecurityKey, SecurityKey/UseSecurityKeyForSignin| -|[Policy CSP - Privacy](mdm/policy-csp-privacy.md)|Added the following new policies:
        LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| -|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs isn't currently supported:
        Create a custom configuration service provider
        Design a custom configuration service provider
        IConfigServiceProvider2
        IConfigServiceProvider2::ConfigManagerNotification
        IConfigServiceProvider2::GetNode
        ICSPNode
        ICSPNode::Add
        ICSPNode::Clear
        ICSPNode::Copy
        ICSPNode::DeleteChild
        ICSPNode::DeleteProperty
        ICSPNode::Execute
        ICSPNode::GetChildNodeNames
        ICSPNode::GetProperty
        ICSPNode::GetPropertyIdentifiers
        ICSPNode::GetValue
        ICSPNode::Move
        ICSPNode::SetProperty
        ICSPNode::SetValue
        ICSPNodeTransactioning
        ICSPValidate
        Samples for writing a custom configuration service provider.| - -## June 2019 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - DeviceHealthMonitoring](mdm/policy-csp-devicehealthmonitoring.md)|Added the following new policies:
        AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.| -|[Policy CSP - TimeLanguageSettings](mdm/policy-csp-timelanguagesettings.md)|Added the following new policy:
        ConfigureTimeZone.| - -## May 2019 - -|New or updated article | Description| -|--- | ---| -|[DeviceStatus CSP](mdm/devicestatus-csp.md)|Updated description of the following nodes:
        DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| -|[EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| -|[Policy CSP - DeliveryOptimization](mdm/policy-csp-deliveryoptimization.md)|Added the following new policies:
        DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

        Updated description of the following policies:
        DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| -|[Policy CSP - Experience](mdm/policy-csp-experience.md)|Added the following new policy:
        ShowLockOnUserTile.| -|[Policy CSP - InternetExplorer](mdm/policy-csp-internetexplorer.md)|Added the following new policies:
        AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| -|[Policy CSP - Power](mdm/policy-csp-power.md)|Added the following new policies:
        EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| -|[Policy CSP - Search](mdm/policy-csp-search.md)|Added the following new policy:
        AllowFindMyFiles.| -|[Policy CSP - ServiceControlManager](mdm/policy-csp-servicecontrolmanager.md)|Added the following new policy:
        SvchostProcessMitigation.| -|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policies:
        AllowCommercialDataPipeline, TurnOffFileHistory.| -|[Policy CSP - Troubleshooting](mdm/policy-csp-troubleshooting.md)|Added the following new policy:
        AllowRecommendations.| -|[Policy CSP - Update](mdm/policy-csp-update.md)|Added the following new policies:
        AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| -|[Policy CSP - WindowsLogon](mdm/policy-csp-windowslogon.md)|Added the following new policies:
        AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.

        Removed the following policy:
        SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.| - -## April 2019 - -| New or updated article | Description | -|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
        Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it doesn't. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | -| [Policy CSP - UserRights](mdm/policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. | - -## March 2019 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - Storage](mdm/policy-csp-storage.md)|Updated ADMX Info of the following policies:
        AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold.

        Updated description of ConfigStorageSenseDownloadsCleanupThreshold.| - -## February 2019 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Updated supported policies for Holographic.| - -## January 2019 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - Storage](mdm/policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| -|[SharedPC CSP](mdm/sharedpc-csp.md)|Updated values and supported operations.| -|[Mobile device management](mdm/index.yml)|Updated information about MDM Security Baseline.| - -## December 2018 - -|New or updated article | Description| -|--- | ---| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| - -## September 2018 - -|New or updated article | Description| -|--- | ---| -|[Policy CSP - DeviceGuard](mdm/policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| - -## August 2018 - -|New or updated article|Description| -|--- |--- | -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added support for Windows 10 Pro starting in the version 1809.| -|[Office CSP](mdm/office-csp.md)|Added FinalStatus setting in Windows 10, version 1809.| -|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.| -|[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.| -|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.| -|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:
      • Browser/AllowFullScreenMode
      • Browser/AllowPrelaunch
      • Browser/AllowPrinting
      • Browser/AllowSavingHistory
      • Browser/AllowSideloadingOfExtensions
      • Browser/AllowTabPreloading
      • Browser/AllowWebContentOnNewTabPage
      • Browser/ConfigureFavoritesBar
      • Browser/ConfigureHomeButton
      • Browser/ConfigureKioskMode
      • Browser/ConfigureKioskResetAfterIdleTimeout
      • Browser/ConfigureOpenMicrosoftEdgeWith
      • Browser/ConfigureTelemetryForMicrosoft365Analytics
      • Browser/PreventCertErrorOverrides
      • Browser/SetHomeButtonURL
      • Browser/SetNewTabPageURL
      • Browser/UnlockHomeButton
      • Experience/DoNotSyncBrowserSettings
      • Experience/PreventUsersFromTurningOnBrowserSyncing
      • Kerberos/UPNNameHints
      • Privacy/AllowCrossDeviceClipboard
      • Privacy
      • DisablePrivacyExperience
      • Privacy/UploadUserActivities
      • System/AllowDeviceNameInDiagnosticData
      • System/ConfigureMicrosoft365UploadEndpoint
      • System/DisableDeviceDelete
      • System/DisableDiagnosticDataViewer
      • Storage/RemovableDiskDenyWriteAccess
      • Update/UpdateNotificationLevel

        Start/DisableContextMenus - added in Windows 10, version 1803.

        RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.| - -## July 2018 - -|New or updated article|Description| -|--- |--- | -|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Added the following note:

        You can only assign one single app kiosk profile to an individual user account on a device. The single app profile doesn't support domain groups.| -|[PassportForWork CSP](mdm/passportforwork-csp.md)|Added new settings in Windows 10, version 1809.| -|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.| -|[Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.| -|[WindowsLicensing CSP](mdm/windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.| -|[SUPL CSP](mdm/supl-csp.md)|Added three new certificate nodes in Windows 10, version 1809.| -|[Defender CSP](mdm/defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.| -|[DevDetail CSP](mdm/devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:
      • ApplicationManagement/LaunchAppAfterLogOn
      • ApplicationManagement/ScheduleForceRestartForUpdateFailures
      • Authentication/EnableFastFirstSignIn (Preview mode only)
      • Authentication/EnableWebSignIn (Preview mode only)
      • Authentication/PreferredAadTenantDomainName
      • Defender/CheckForSignaturesBeforeRunningScan
      • Defender/DisableCatchupFullScan
      • Defender/DisableCatchupQuickScan
      • Defender/EnableLowCPUPriority
      • Defender/SignatureUpdateFallbackOrder
      • Defender/SignatureUpdateFileSharesSources
      • DeviceGuard/ConfigureSystemGuardLaunch
      • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
      • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
      • DeviceInstallation/PreventDeviceMetadataFromNetwork
      • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
      • DmaGuard/DeviceEnumerationPolicy
      • Experience/AllowClipboardHistory
      • Security/RecoveryEnvironmentAuthentication
      • TaskManager/AllowEndTask
      • WindowsDefenderSecurityCenter/DisableClearTpmButton
      • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
      • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
      • WindowsLogon/DontDisplayNetworkSelectionUI

        Recent changes:
      • DataUsage/SetCost3G - deprecated in Windows 10, version 1809.| - -## June 2018 - -|New or updated article|Description| -|--- |--- | -|[Wifi CSP](mdm/wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.| -|[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:
      • Added procedure for collecting logs remotely from Windows 10 Holographic.
      • Added procedure for downloading the MDM Diagnostic Information log.| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Recent changes:
      • AccountPoliciesAccountLockoutPolicy
      • AccountLockoutDuration - removed from docs. Not supported.
      • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
      • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
      • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
      • System/AllowFontProviders isn't supported in HoloLens (first gen) Commercial Suite.
      • Security/RequireDeviceEncryption is supported in the Home SKU.
      • Start/StartLayout - added a table of SKU support information.
      • Start/ImportEdgeAssets - added a table of SKU support information.

        Added the following new policies in Windows 10, version 1809:
      • Update/EngagedRestartDeadlineForFeatureUpdates
      • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
      • Update/EngagedRestartTransitionScheduleForFeatureUpdates
      • Update/SetDisablePauseUXAccess
      • Update/SetDisableUXWUAccess| -|[WiredNetwork CSP](mdm/wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.| - -## May 2018 - -|New or updated article|Description| -|--- |--- | -|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
      • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
      • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| - -## April 2018 - -|New or updated article|Description| -|--- |--- | -|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:
      • Settings/AllowVirtualGPU
      • Settings/SaveFilesToHost| -|[NetworkProxy CSP](mdm/networkproxy-csp.md)|Added the following node in Windows 10, version 1803:
      • ProxySettingsPerUser| -|[Accounts CSP](mdm/accounts-csp.md)|Added a new CSP in Windows 10, version 1803.| -|[CSP DDF files download](mdm/configuration-service-provider-ddf.md)|Added the DDF download of Windows 10, version 1803 configuration service providers.| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
      • Bluetooth/AllowPromptedProximalConnections
      • KioskBrowser/EnableEndSessionButton
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers| - -## March 2018 - -|New or updated article|Description| -|--- |--- | -|[eUICCs CSP](mdm/euiccs-csp.md)|Added the following node in Windows 10, version 1803:
      • IsEnabled| -|[DeviceStatus CSP](mdm/devicestatus-csp.md)|Added the following node in Windows 10, version 1803:
      • OS/Mode| -|[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:
      • [How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
      • [How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)| -|[AccountManagement CSP](mdm/accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.| -|[RootCATrustedCertificates CSP](mdm/rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:
      • UntrustedCertificates| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
      • ApplicationDefaults/EnableAppUriHandlers
      • ApplicationManagement/MSIAllowUserControlOverInstall
      • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
      • Connectivity/AllowPhonePCLinking
      • Notifications/DisallowCloudNotification
      • Notifications/DisallowTileNotification
      • RestrictedGroups/ConfigureGroupMembership

        The following existing policies were updated:
      • Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.
      • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
      • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

        Added a new section:
      • [[Policies in Policy CSP supported by Group Policy](mdm/policies-in-policy-csp-supported-by-group-policy.md) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.| -|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#servicesallowedlist-usage-guide).| -|[MultiSIM CSP](mdm/multisim-csp.md)|Added SyncML examples and updated the settings descriptions.| -|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.| - -## February 2018 - -|New or updated article|Description| -|--- |--- | -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
      • Display/DisablePerProcessDpiForApps
      • Display/EnablePerProcessDpi
      • Display/EnablePerProcessDpiForApps
      • Experience/AllowWindowsSpotlightOnSettings
      • TextInput/ForceTouchKeyboardDockedState
      • TextInput/TouchKeyboardDictationButtonAvailability
      • TextInput/TouchKeyboardEmojiButtonAvailability
      • TextInput/TouchKeyboardFullModeAvailability
      • TextInput/TouchKeyboardHandwritingModeAvailability
      • TextInput/TouchKeyboardNarrowModeAvailability
      • TextInput/TouchKeyboardSplitModeAvailability
      • TextInput/TouchKeyboardWideModeAvailability| -|[VPNv2 ProfileXML XSD](mdm/vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.| -|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:
      • Status
      • ShellLauncher
      • StatusConfiguration

        Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (first gen) Commercial Suite. Added example for HoloLens (first gen) Commercial Suite.| -|[MultiSIM CSP](mdm/multisim-csp.md)|Added a new CSP in Windows 10, version 1803.| -|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:
      • MaintainProcessorArchitectureOnUpdate| - -## January 2018 - -|New or updated article|Description| -|--- |--- | -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
      • Browser/AllowConfigurationUpdateForBooksLibrary
      • Browser/AlwaysEnableBooksLibrary
      • Browser/EnableExtendedBooksTelemetry
      • Browser/UseSharedFolderForBooks
      • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
      • DeliveryOptimization/DODelayForegroundDownloadFromHttp
      • DeliveryOptimization/DOGroupIdSource
      • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
      • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
      • DeliveryOptimization/DORestrictPeerSelectionBy
      • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
      • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
      • KioskBrowser/BlockedUrlExceptions
      • KioskBrowser/BlockedUrls
      • KioskBrowser/DefaultURL
      • KioskBrowser/EnableHomeButton
      • KioskBrowser/EnableNavigationButtons
      • KioskBrowser/RestartOnIdleTime
      • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
      • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
      • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
      • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
      • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
      • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
      • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
      • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
      • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
      • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
      • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
      • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
      • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
      • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
      • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
      • RestrictedGroups/ConfigureGroupMembership
      • Search/AllowCortanaInAAD
      • Search/DoNotUseWebResults
      • Security/ConfigureWindowsPasswords
      • System/FeedbackHubAlwaysSaveDiagnosticsLocally
      • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
      • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
      • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
      • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
      • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
      • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
      • TaskScheduler/EnableXboxGameSaveTask
      • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
      • Update/ConfigureFeatureUpdateUninstallPeriod
      • UserRights/AccessCredentialManagerAsTrustedCaller
      • UserRights/AccessFromNetwork
      • UserRights/ActAsPartOfTheOperatingSystem
      • UserRights/AllowLocalLogOn
      • UserRights/BackupFilesAndDirectories
      • UserRights/ChangeSystemTime
      • UserRights/CreateGlobalObjects
      • UserRights/CreatePageFile
      • UserRights/CreatePermanentSharedObjects
      • UserRights/CreateSymbolicLinks
      • UserRights/CreateToken
      • UserRights/DebugPrograms
      • UserRights/DenyAccessFromNetwork
      • UserRights/DenyLocalLogOn
      • UserRights/DenyRemoteDesktopServicesLogOn
      • UserRights/EnableDelegation
      • UserRights/GenerateSecurityAudits
      • UserRights/ImpersonateClient
      • UserRights/IncreaseSchedulingPriority
      • UserRights/LoadUnloadDeviceDrivers
      • UserRights/LockMemory
      • UserRights/ManageAuditingAndSecurityLog
      • UserRights/ManageVolume
      • UserRights/ModifyFirmwareEnvironment
      • UserRights/ModifyObjectLabel
      • UserRights/ProfileSingleProcess
      • UserRights/RemoteShutdown
      • UserRights/RestoreFilesAndDirectories
      • UserRights/TakeOwnership
      • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
      • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
      • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
      • WindowsDefenderSecurityCenter/HideSecureBoot
      • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

        Added the following policies in Windows 10, version 1709
      • DeviceLock/MinimumPasswordAge
      • Settings/AllowOnlineTips
      • System/DisableEnterpriseAuthProxy

        Security/RequireDeviceEncryption - updated to show it's supported in desktop.| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.| -|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.| -|[DMClient CSP](mdm/dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
      • AADSendDeviceToken
      • BlockInStatusPage
      • AllowCollectLogsButton
      • CustomErrorText
      • SkipDeviceStatusPage
      • SkipUserStatusPage| -|[Defender CSP](mdm/defender-csp.md)|Added new node (OfflineScan) in Windows 10, version 1803.| -|[UEFI CSP](mdm/uefi-csp.md)|Added a new CSP in Windows 10, version 1803.| -|[Update CSP](mdm/update-csp.md)|Added the following nodes in Windows 10, version 1803:
      • Rollback
      • Rollback/FeatureUpdate
      • Rollback/QualityUpdateStatus
      • Rollback/FeatureUpdateStatus| - -## December 2017 - -|New or updated article|Description| -|--- |--- | -|[Configuration service provider reference](mdm/index.yml)|Added new section [CSP DDF files download](mdm/configuration-service-provider-ddf.md)| - -## November 2017 - -|New or updated article|Description| -|--- |--- | -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:
      • Authentication/AllowFidoDeviceSignon
      • Cellular/LetAppsAccessCellularData
      • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
      • Start/HidePeopleBar
      • Storage/EnhancedStorageDevices
      • Update/ManagePreviewBuilds
      • WirelessDisplay/AllowMdnsAdvertisement
      • WirelessDisplay/AllowMdnsDiscovery

        Added missing policies from previous releases:
      • Connectivity/DisallowNetworkConnectivityActiveTest
      • Search/AllowWindowsIndexer| - -## October 2017 - -| New or updated article | Description | -| --- | --- | -| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:

        - Defender/ControlledFolderAccessAllowedApplications - string separator is `|`
        - Defender/ControlledFolderAccessProtectedFolders - string separator is `|` | -| [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | -| [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. | -| [DMClient CSP](mdm/dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. | - -## September 2017 - -|New or updated article|Description| -|--- |--- | -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
      • Authentication/AllowAadPasswordReset
      • Handwriting/PanelDefaultModeDocked
      • Search/AllowCloudSearch
      • System/LimitEnhancedDiagnosticDataWindowsAnalytics

        Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.| -|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.| -|Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.| -|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
      • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
      • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
      • DomainName - fully qualified domain name if the device is domain-joined.

        For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.| -|[EnterpriseAPN CSP](mdm/enterpriseapn-csp.md)|Added a SyncML example.| -|[VPNv2 CSP](mdm/vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.| -|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.| -|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:
      • User sees installation progress of critical policies during MDM enrollment.
      • User knows what policies, profiles, apps MDM has configured
      • IT helpdesk can get detailed MDM diagnostic information using client tools

        For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)| - -## August 2017 - -|New or updated article|Description| -|--- |--- | -|[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.| -|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:

        Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.| -|[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.| -|[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:
      • 0 (default) – Off / No protection (decrypts previously protected data).
      • 1 – Silent mode (encrypt and audit only).
      • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
      • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).| -|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allowlist-examples).| -|[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:
      • Provider/ProviderID/ConfigInfo
      • Provider/ProviderID/EnrollmentInfo| -|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:
      • Installation/CurrentStatus| -|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| -|[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:
      • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
      • Changed some data types from integer to bool.
      • Updated the list of supported operations for some settings.
      • Added default values.| -|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
      • Browser/AllowMicrosoftCompatibilityList
      • Update/DisableDualScan
      • Update/FillEmptyContentUrls| -|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
      • Browser/ProvisionFavorites
      • Browser/LockdownFavorites
      • ExploitGuard/ExploitProtectionSettings
      • Games/AllowAdvancedGamingServices
      • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
      • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
      • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
      • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
      • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
      • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
      • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
      • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
      • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
      • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
      • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
      • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
      • Privacy/EnableActivityFeed
      • Privacy/PublishUserActivities
      • Update/DisableDualScan
      • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

        Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

        Changed the names of the following policies:
      • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
      • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
      • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

        Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).

        There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
      • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
      • Start/HideAppList| diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index 74ca04fcc6..ad8809d9dd 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,10 +1,10 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: +MS-HAID: - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -75,7 +75,6 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md) | Added the new CSP. | | [PassportForWork CSP](mdm/passportforwork-csp.md) | Added the following new nodes:
      • SecurityKey
      • SecurityKey/UseSecurityKeyForSignin | - ## What's new in MDM for Windows 10, version 1809 | New or updated article | Description | @@ -139,15 +138,15 @@ In your deployment, if you have multiple certificates provisioned on the device Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: -- The user may be prompted to select the certificate. -- The wrong certificate may get auto selected and cause an authentication failure. +- The user may be prompted to select the certificate. +- The wrong certificate may get auto selected and cause an authentication failure. A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. -- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. For information about EAP Settings, see . @@ -159,18 +158,17 @@ For information about adding extended key usage (EKU) to a certificate, see [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. -3. Click the **Properties** button underneath the drop-down menu. +3. Click the **Properties** button underneath the drop-down menu. -4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. +4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: + :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: -5. In the **Configure Certificate Selection** menu, adjust the filters as needed. +5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: + :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: -6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. +6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. -7. Close the rasphone dialog box. +7. Close the rasphone dialog box. -8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. +8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. > [!NOTE] > You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). - ### MDM client will immediately check in with the MDM server after client renews WNS channel URI After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. @@ -326,10 +323,8 @@ If you want to use the certificate used for VPN authentication also for Kerberos The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. - ## Frequently Asked Questions - ### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11? No. Only one MDM is allowed. @@ -351,8 +346,3 @@ Entry | Description What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| - - -## Change history for MDM documentation - -To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index ab8ddd9fcc..74837fc166 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -11,8 +11,6 @@ items: href: mdm-overview.md - name: What's new in MDM enrollment and management href: new-in-windows-mdm-enrollment-management.md - - name: Change history for MDM documentation - href: change-history-for-mdm-documentation.md - name: Azure Active Directory integration with MDM href: azure-active-directory-integration-with-mdm.md items: From 05f3f20e25eed37950ab71a70321d9f1bf498e99 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Mar 2023 18:03:48 -0400 Subject: [PATCH 057/101] Break OMA-URI into its own line Break OMA-URI into its own line --- .../pde-in-intune/intune-enable-pde.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index 0052247b0b..b8fea027e9 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -55,17 +55,19 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. In the **Add Row** window that opens: - 1. Next to **Name**, enter **Personal Data Encryption**. + 1. Next to **Name**, enter **Personal Data Encryption**. - 1. Next to **Description**, enter a description. + 1. Next to **Description**, enter a description. - 1. Next to **OMA-URI**, enter in **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**. + 1. Next to **OMA-URI**, enter in: - 1. Next to **Data type**, select **Integer**. + **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**. - 1. Next to **Value**, enter in **1**. + 1. Next to **Data type**, select **Integer**. - 1. Select **Save** to close the **Add Row** window. + 1. Next to **Value**, enter in **1**. + + 1. Select **Save** to close the **Add Row** window. 1. Select **Next** From f531f7188ee28100a7cceaf4769b7c97c98efe8c Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Mar 2023 18:08:32 -0400 Subject: [PATCH 058/101] Fix periods Fix periods --- .../pde-in-intune/intune-enable-pde.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md index b8fea027e9..ac064684ca 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -61,7 +61,7 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. Next to **OMA-URI**, enter in: - **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**. + **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** 1. Next to **Data type**, select **Integer**. @@ -69,7 +69,7 @@ To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. Select **Save** to close the **Add Row** window. - 1. Select **Next** + 1. Select **Next**. 1. In the **Assignments** page: From a29f4c4b4230850fb89a34d3a4b6a55369861c31 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 14 Mar 2023 16:25:07 -0600 Subject: [PATCH 059/101] Update new-in-windows-mdm-enrollment-management.md Line 32: Asssessments > Assessments Line 165: Add a comma to enclose a clause. Line 312: check-in > check in (verb) [Correctness section of the scorecard](https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/11404e7b-c19b-419f-8da4-af0caf0f0f59#CORRECTNESS) --- .../new-in-windows-mdm-enrollment-management.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index ad8809d9dd..aa0fa503b7 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -29,7 +29,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [eUUICs](mdm/euiccs-csp.md) | Added the following node:
      • IsDiscoveryServer | | [PersonalDataEncryption](mdm/personaldataencryption-csp.md) | New CSP | | [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
      • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
      • DesktopAppInstaller/EnableAdditionalSources
      • DesktopAppInstaller/EnableAllowedSources
      • DesktopAppInstaller/EnableAppInstaller
      • DesktopAppInstaller/EnableDefaultSource
      • DesktopAppInstaller/EnableExperimentalFeatures
      • DesktopAppInstaller/EnableHashOverride
      • DesktopAppInstaller/EnableLocalManifestFiles
      • DesktopAppInstaller/EnableMicrosoftStoreSource
      • DesktopAppInstaller/EnableMSAppInstallerProtocol
      • DesktopAppInstaller/EnableSettings
      • DesktopAppInstaller/SourceAutoUpdateInterval
      • Education/EnableEduThemes
      • Experience/AllowSpotlightCollectionOnDesktop
      • FileExplorer/DisableGraphRecentItems
      • HumanPresence/ForceInstantDim
      • InternetExplorer/EnableGlobalWindowListInIEMode
      • InternetExplorer/HideIEAppRetirementNotification
      • InternetExplorer/ResetZoomForDialogInIEMode
      • LocalSecurityAuthority/AllowCustomSSPsAPs
      • LocalSecurityAuthority/ConfigureLsaProtectedProcess
      • MixedReality/AllowCaptivePortalBeforeLogon
      • MixedReality/AllowLaunchUriInSingleAppKiosk
      • MixedReality/AutoLogonUser
      • MixedReality/ConfigureMovingPlatform
      • MixedReality/ConfigureNtpClient
      • MixedReality/ManualDownDirectionDisabled
      • MixedReality/NtpClientEnabled
      • MixedReality/SkipCalibrationDuringSetup
      • MixedReality/SkipTrainingDuringSetup
      • NetworkListManager/AllowedTlsAuthenticationEndpoints
      • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
      • Printers/ConfigureCopyFilesPolicy
      • Printers/ConfigureDriverValidationLevel
      • Printers/ConfigureIppPageCountsPolicy
      • Printers/ConfigureRedirectionGuard
      • Printers/ConfigureRpcConnectionPolicy
      • Printers/ConfigureRpcListenerPolicy
      • Printers/ConfigureRpcTcpPort
      • Printers/ManageDriverExclusionList
      • Printers/RestrictDriverInstallationToAdministrators
      • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
      • Search/AllowSearchHighlights
      • Search/DisableSearch
      • SharedPC/EnabledSharedPCModeWithOneDriveSync
      • Start/DisableControlCenter
      • Start/DisableEditingQuickSettings
      • Start/HideRecommendedSection
      • Start/HideTaskViewButton
      • Start/SimplifyQuickSettings
      • Stickers/EnableStickers
      • Textinput/allowimenetworkaccess
      • Update/NoUpdateNotificationDuringActiveHours
      • WebThreatDefense/EnableService
      • WebThreatDefense/NotifyMalicious
      • WebThreatDefense/NotifyPasswordReuse
      • WebThreatDefense/NotifyUnsafeApp
      • Windowslogon/EnableMPRNotifications | -| [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:
      • Asssessments | +| [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:
      • Assessments | | [WindowsAutopilot](mdm/windowsautopilot-csp.md) | Added the following node:
      • HardwareMismatchRemediationData | ## What's new in MDM for Windows 11, version 21H2 @@ -162,7 +162,7 @@ The following list describes the prerequisites for a certificate to be used with - Client Authentication. - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. - Any Purpose. - - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. + - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. - All Purpose. - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. - The user or the computer certificate on the client chains to a trusted root CA. @@ -309,7 +309,7 @@ Alternatively you can use the following procedure to create an EAP Configuration ### MDM client will immediately check in with the MDM server after client renews WNS channel URI -After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. +After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. ### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices From 0bcdd3ff76833327e97e5d2dcbc9d3d589ffe931 Mon Sep 17 00:00:00 2001 From: junhasems <65909470+junhasems@users.noreply.github.com> Date: Wed, 15 Mar 2023 21:04:49 +0900 Subject: [PATCH 060/101] hello-hybrid-cert-whfb-settings-adfs.md Fix hyperlink from "hello-hybrid-key-trust-provision" to "hello-hybrid-cert-whfb-provision" --- .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 9d45b8bed7..ca0662ddde 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete: > - Update group memberships for the AD FS service account > [!div class="nextstepaction"] -> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision) \ No newline at end of file +> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision) From 1a06ffe36823792fc5502b703d98ea2a421616a3 Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Wed, 15 Mar 2023 20:51:10 +0530 Subject: [PATCH 061/101] Update kiosk-xml.md Made changes to the XML Fixes#https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11352 --- windows/configuration/kiosk-xml.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 2229eb5af7..d4525a15f4 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -259,10 +259,8 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config" > - - + + From af33439fe9556e963790efc6eb00270a31a62d1a Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Wed, 15 Mar 2023 20:56:07 +0530 Subject: [PATCH 062/101] Update windows-security-baselines.md removed the embedded video and added it to see also Fixes#https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11399 --- .../windows-security-baselines.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 807e2e2800..5220f9868b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -72,11 +72,9 @@ There are several ways to get and use security baselines: [![Microsoft Security Guidance Blog.](./../images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) -## Related videos - -> [!VIDEO https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo] ## See also - [Microsoft Security Guidance Blog](/archive/blogs/secguide/) - [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) +- [Security Baseline Policy Analyzer](https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo) From 370c0385f240f1c2aa20dc3f8d992b8eabc98152 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Mar 2023 09:31:45 -0700 Subject: [PATCH 063/101] edits --- .../update/includes/wufb-reports-verify-device-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md index 5eab6c5de8..1818d4452d 100644 --- a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md +++ b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md @@ -8,7 +8,7 @@ ms.topic: include ms.date: 08/10/2022 ms.localizationpriority: medium --- - + In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: From acb6c21b95176585a8bbe3b20855e9382fec35a5 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:53:14 -0700 Subject: [PATCH 064/101] tweak perms --- .../update/includes/wufb-reports-admin-center-permissions.md | 2 ++ windows/deployment/update/wufb-reports-prerequisites.md | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index 457b880be1..b1c488c46a 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -16,6 +16,8 @@ To enroll into Windows Update for Business reports, edit configuration settings, - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center +- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role + - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but does not allow any access to the Microsoft 365 admin center To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role: - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index ace317b4e1..3698c04e10 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -32,8 +32,9 @@ Before you begin the process of adding Windows Update for Business reports to yo **Log Analytics permissions**: +The data for Windows Update for Business reports is routed to a Log Analytics workspaces for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: - [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries -- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data +- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data ## Operating systems and editions From e0f74dcc917750e9eb7271147a521d4beec31c8c Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:58:19 -0700 Subject: [PATCH 065/101] edits --- .../update/includes/wufb-reports-admin-center-permissions.md | 2 +- windows/deployment/update/wufb-reports-prerequisites.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index b1c488c46a..0450f401be 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -17,7 +17,7 @@ To enroll into Windows Update for Business reports, edit configuration settings, - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role - - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but does not allow any access to the Microsoft 365 admin center + - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role: - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 3698c04e10..0d364e4c18 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -32,7 +32,7 @@ Before you begin the process of adding Windows Update for Business reports to yo **Log Analytics permissions**: -The data for Windows Update for Business reports is routed to a Log Analytics workspaces for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: +The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: - [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data From 2f476f409ee816c521cdb4a43440a318689f03da Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:59:46 -0700 Subject: [PATCH 066/101] edits --- .../update/includes/wufb-reports-admin-center-permissions.md | 2 +- windows/deployment/update/wufb-reports-prerequisites.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index 0450f401be..db34ecf112 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -5,7 +5,7 @@ manager: aaroncz ms.technology: itpro-updates ms.prod: windows-client ms.topic: include -ms.date: 08/18/2022 +ms.date: 03/15/2023 ms.localizationpriority: medium --- diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 0d364e4c18..0afb403c8d 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 02/14/2023 +ms.date: 03/15/2023 ms.technology: itpro-updates --- From 153f556df2fd0056dedc8c051f02e54d37a47294 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Mar 2023 11:58:03 -0700 Subject: [PATCH 067/101] edits --- .../update/includes/wufb-reports-admin-center-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index db34ecf112..c77315543a 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -15,7 +15,7 @@ To enroll into Windows Update for Business reports, edit configuration settings, - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) - [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) - - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center + - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center - [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center From f7c0771d0245db9a131b4e5b924cf3a47492420d Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 12:00:23 -0700 Subject: [PATCH 068/101] :zanyface: --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index c323dd4908..5cbf2a8380 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -92,8 +92,8 @@ sections: - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: - - Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). - - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls). + - Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). + - Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls). - question: Can I permanently pause a Windows feature update deployment? answer: | Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release). From 31b1143820a9abe14e31138c38d16509447abf6c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 15 Mar 2023 16:54:44 -0400 Subject: [PATCH 069/101] minor refresh and date update --- education/windows/federated-sign-in.md | 2 +- .../hello-and-password-changes.md | 46 ++++++------ .../hello-deployment-rdp-certs.md | 2 +- .../hello-why-pin-is-better-than-password.md | 71 ++++++++----------- 4 files changed, 51 insertions(+), 70 deletions(-) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index eefe5ce3e3..4799a4d3cc 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,7 +1,7 @@ --- title: Configure federated sign-in for Windows devices description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages. -ms.date: 02/24/2023 +ms.date: 03/15/2023 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 299c09d7f0..5d311af3bb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,41 +1,35 @@ --- -title: Windows Hello and password changes (Windows) -description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.date: 07/27/2017 +title: Windows Hello and password changes +description: Learn the impact of changing a password when using Windows Hello. +ms.date: 03/15/2023 appliesto: - ✅ Windows 10 and later -ms.topic: article +ms.topic: conceptual --- # Windows Hello and password changes -When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. +When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If Windows Hello for Business isn't deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. -## Example +> [!Note] +> This article doesn't apply to Windows Hello for Business. Change the account password will not affect sign-in or unlock, since Windows Hello for Business uses a key or certificate. + +**Example 1** Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. -Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. +Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. -Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. +**Example 2** + +Suppose that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. >[!NOTE] >This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md). -  + ## How to update Hello after you change your password on another device -1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** -2. Click **OK.** -3. Click **Sign-in options**. -4. Click the **Password** button. -5. Sign in with new password. -6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN. - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** +1. Select **OK** +1. Select **Sign-in options** +1. Select **Password** +1. Sign in with new password +1. The next time that you sign in, you can select **Sign-in options > PIN** to resume using your PIN. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 8896bacc2b..7d4f20063d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -5,7 +5,7 @@ ms.collection: - ContentEngagementFY23 - tier1 ms.topic: article -ms.date: 11/15/2022 +ms.date: 03/15/2023 appliesto: - ✅ Windows 10 and later --- diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 6b65c109d3..80c0b844fc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,86 +1,73 @@ --- -title: Why a PIN is better than an online password (Windows) -description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. +title: Why a PIN is better than an online password +description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password. ms.collection: - highpri - tier1 -ms.date: 10/23/2017 +ms.date: 03/15/2023 appliesto: - ✅ Windows 10 and later -ms.topic: article +ms.topic: conceptual --- # Why a PIN is better than an online password Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. > [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] -## PIN is tied to the device +## A PIN is tied to the device -One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! +One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. -Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. +The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. ## PIN is local to the device -An online password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. -When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. -However, note that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section. +An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. +When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. +Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section. >[!NOTE] ->For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello). -  +>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello). + ## PIN is backed by hardware -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords. +The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. -User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. - -The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. +User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. +The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. ## PIN can be complex The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. -## What if someone steals the laptop or phone? +## What if someone steals the device? -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. -You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. +To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. +You can provide more protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. ### Configure BitLocker without TPM -1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: +To enable BitLocker without TPM, follow these steps: - **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup** - -2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.** -3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect. +1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup** +1. In the policy option, select **Allow BitLocker without a compatible TPM > OK** +1. On the device, open **Control Panel > System and Security > BitLocker Drive Encryption** +1. Select the operating system drive to protect ### Set account lockout threshold -1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: +To configure account lockout threshold, follow these steps: - **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** - -2. Set the number of invalid logon attempts to allow, and then click OK. +1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** +1. Set the number of invalid logon attempts to allow, and then select OK ## Why do you need a PIN to use biometrics? -Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. +Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. -If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello. - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello. From 915349a2ff106c761d3177125ca5eaa3c38143f4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 15 Mar 2023 17:04:41 -0400 Subject: [PATCH 070/101] include file fix --- education/windows/includes/intune-custom-settings-1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md index c5eee0e2a8..5be4cd1204 100644 --- a/education/windows/includes/intune-custom-settings-1.md +++ b/education/windows/includes/intune-custom-settings-1.md @@ -7,7 +7,7 @@ ms.topic: include To configure devices with Microsoft Intune, use a custom policy: -1. Go to the Microsoft Intune admin center +1. Go to the Microsoft Intune admin center 2. Select **Devices > Configuration profiles > Create profile** 3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** 4. Select **Create** From bd67f1bda7d5097e9822e20dc7b321a3f247ef95 Mon Sep 17 00:00:00 2001 From: Phil Urban <29461692+PhillyUrbs@users.noreply.github.com> Date: Wed, 15 Mar 2023 17:11:15 -0400 Subject: [PATCH 071/101] Spelling correction --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 85f176411e..f8cbef2b18 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -47,4 +47,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl |--------|-----------| | Operating system | Windows 10 Enterprise edition, version 1809 or later
        Windows 10 Professional edition, version 1809 or later
        Windows 10 Professional for Workstations edition, version 1809 or later
        Windows 10 Professional Education edition, version 1809 or later
        Windows 10 Education edition, version 1809 or later
        Windows 11 Education, Enterprise, and Professional editions | | Browser | Microsoft Edge | -| Management system
        (only for managed devices)| [Microsoft Intune](/intune/)

        **OR**

        [Microsoft Configuration Manager](/configmgr/)

        **OR**

        [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

        **OR**

        Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | +| Management system
        (only for managed devices)| [Microsoft Intune](/intune/)

        **OR**

        [Microsoft Configuration Manager](/configmgr/)

        **OR**

        [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

        **OR**

        Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. | From a966f50e01901d8cfcc79b7b2151cc33fcf6cbe8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 15 Mar 2023 17:53:48 -0400 Subject: [PATCH 072/101] update --- .../hello-hybrid-cloud-kerberos-trust-provision.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 0f6b8ab112..1367cb8301 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -178,8 +178,6 @@ If you deployed Windows Hello for Business using the key trust model, and want t > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. -> -> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. ## Migrate from certificate trust deployment model to cloud Kerberos trust From 1e18578c7102baa0cf5f0c4755403e874e98c81c Mon Sep 17 00:00:00 2001 From: Scott Breen <39719539+scottbreenmsft@users.noreply.github.com> Date: Thu, 16 Mar 2023 11:50:11 +1000 Subject: [PATCH 073/101] Update get-minecraft-for-education.md Updating article to recommend using the system install behavior now that it has been released. Intune What's new docs planned to be updated tomorrow referencing the system context support. --- education/windows/get-minecraft-for-education.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 0c1e50cd52..bd0cb591bf 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -112,7 +112,9 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d 1. Under *App type*, select **Microsoft Store app (new)** and choose **Select** 1. Select **Search the Microsoft Store app (new)** and search for **Minecraft Education** 1. Select the app and choose **Select** -1. On the *App information* screen, select **Next** +1. On the *App information* screen, select the *install behavior*, then select **Next** + - *System* means install for all users (recommended for most scenarios) + - *User* means only install for the targeted user or current user of a device 1. On the *Assignments* screen, choose how you want to target the installation of Minecraft Education - *Required* means that Intune installs the app without user interaction - *Available* enables Minecraft Education in the Company Portal, where users can install the app on-demand From 368d17ba0cab67822bbafe02ad13f8d3abc752f3 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 20:37:28 -0700 Subject: [PATCH 074/101] Tweak --- .../windows-autopatch/overview/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 3b9a3b050f..5d20f51af7 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -72,7 +72,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Enterprise application name | Usage | Permissions | | ----- | ----- | ----- | -| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. |

        • DeviceManagementApps.ReadWrite.All
        • DeviceManagementConfiguration.ReadWrite.All
        • DeviceManagementManagedDevices.PriviligedOperation.All
        • DeviceManagementManagedDevices.ReadWrite.All
        • DeviceManagementRBAC.ReadWrite.All
        • DeviceManagementServiceConfig.ReadWrite.All
        • Directory.Read.All
        • Group.Create
        • Policy.Read.All
        • WindowsUpdates.ReadWrite.All
        | +| Modern Workplace Management | The Modern Workplace Management application:
        • Manages the service
        • Publishes baseline configuration updates
        • Maintains overall service health
        |
        • DeviceManagementApps.ReadWrite.All
        • DeviceManagementConfiguration.ReadWrite.All
        • DeviceManagementManagedDevices.PriviligedOperation.All
        • DeviceManagementManagedDevices.ReadWrite.All
        • DeviceManagementRBAC.ReadWrite.All
        • DeviceManagementServiceConfig.ReadWrite.All
        • Directory.Read.All
        • Group.Create
        • Policy.Read.All
        • WindowsUpdates.ReadWrite.All
        | ### Service accounts From e881020ec1bec04508d6fa1aab3d87d6a0081e75 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 20:40:32 -0700 Subject: [PATCH 075/101] you pea brain --- .../windows-autopatch/overview/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 5d20f51af7..46198efe32 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -68,7 +68,7 @@ For more information about how Windows diagnostic data is used, see: ## Tenant access -Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service. | Enterprise application name | Usage | Permissions | | ----- | ----- | ----- | From 6b2d1215614780ff4e36e3510a2729d04759f8a2 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 15 Mar 2023 20:42:58 -0700 Subject: [PATCH 076/101] sigh... --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index fed0830f19..b330342957 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -23,7 +23,7 @@ The following configuration details explain the changes made to your tenant when Enterprise applications are applications (software) that a business uses to do its work. -Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service. | Enterprise application name | Usage | Permissions | | ----- | ------ | ----- | From bb314ba9d25284d1646ab0d9721887db91477f5a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 16 Mar 2023 07:40:16 -0400 Subject: [PATCH 077/101] update to WHFK hybrid cert trust to include device write-back and device auth for AD FS --- .../hello-hybrid-cert-trust.md | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index b8a7d72fe0..02c36f3fbe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business hybrid certificate trust deployment description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 12/28/2022 +ms.date: 03/16/2023 appliesto: - ✅ Windows 10 and later - ✅ Windows Server 2016 and later @@ -19,7 +19,7 @@ This deployment guide describes how to deploy Windows Hello for Business in a hy > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md). -It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. +It's recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. ## Prerequisites The following prerequisites must be met for a hybrid certificate trust deployment: @@ -64,18 +64,20 @@ Once you have your AD FS design ready: The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). -### Device registration +### Device registration and device write-back Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\ -For *hybrid Azure AD joined* devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page. +For hybrid Azure AD joined devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page. -Hybrid certificate trust deployments need the device write back feature. Authentication to AD FS needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back. +Refer to the [Configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about using Azure AD Connect Sync to configure Azure AD device registration.\ +For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide. + +Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back. > [!NOTE] -> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object. +> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object. -Refer to the [configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about setting up Azure AD Connect Sync to support Azure AD device registration. -For a manual configuration of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide. +If you manually configured AD FS, or if you ran Azure AD Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5]. ### Public Key Infrastructure @@ -129,4 +131,5 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr [SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa [SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm [SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts -[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2 \ No newline at end of file +[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2 +[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication \ No newline at end of file From aacbde9004799b06a90b5319cc2dce77ce12173e Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Thu, 16 Mar 2023 09:02:55 -0700 Subject: [PATCH 078/101] Update select-types-of-rules-to-create.md RootCertificate line to "Not supported." --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 2fb47fdf33..5984fefcc0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -96,7 +96,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the | **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | | **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. | | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. | -| **RootCertificate** | This level may produce an overly permissive policy and isn't recommended for most use cases. | +| **RootCertificate** | Not supported. | | **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. | | **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. | | **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. | From 213a8e179e32ed7b2c2b1c1f4c8af7636ea73bbe Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 16 Mar 2023 11:17:19 -0700 Subject: [PATCH 079/101] Consolidating tenant access and enterprise application information --- .../windows-autopatch/overview/windows-autopatch-privacy.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 46198efe32..a04a060c4c 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -68,11 +68,7 @@ For more information about how Windows diagnostic data is used, see: ## Tenant access -Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service. - -| Enterprise application name | Usage | Permissions | -| ----- | ----- | ----- | -| Modern Workplace Management | The Modern Workplace Management application:
        • Manages the service
        • Publishes baseline configuration updates
        • Maintains overall service health
        |
        • DeviceManagementApps.ReadWrite.All
        • DeviceManagementConfiguration.ReadWrite.All
        • DeviceManagementManagedDevices.PriviligedOperation.All
        • DeviceManagementManagedDevices.ReadWrite.All
        • DeviceManagementRBAC.ReadWrite.All
        • DeviceManagementServiceConfig.ReadWrite.All
        • Directory.Read.All
        • Group.Create
        • Policy.Read.All
        • WindowsUpdates.ReadWrite.All
        | +For more information about tenant access and changes made to your tenant upon enrolling into Windows Autopatch, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). ### Service accounts From a6d75e8261a4b1c42f0e35c272521513bc6edf43 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 16 Mar 2023 11:38:50 -0700 Subject: [PATCH 080/101] Removed redundancy --- .../operate/windows-autopatch-maintain-environment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index b67ec6d208..8ac2a90c62 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -37,7 +37,7 @@ Windows Autopatch deploys, manages and maintains all configurations related to t The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**. > [!IMPORTANT] -> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../overview/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal. +> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../overview/windows-autopatch-privacy.md#service-accounts), your Global admin must go to the Tenant management blade to approve the configuration change. The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed. From 41926946f50596858c11a20ba6616d3175139504 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 16 Mar 2023 13:57:31 -0700 Subject: [PATCH 081/101] Updates to memory integrity topics --- ...tion-based-protection-of-code-integrity.md | 158 ++++++++++-------- ...nd-windows-defender-application-control.md | 33 ++-- .../example-wdac-base-policies.md | 4 +- 3 files changed, 106 insertions(+), 89 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 9c1feb7d06..d40726923d 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- -title: Enable virtualization-based protection of code integrity -description: This article explains the steps to opt in to using HVCI on Windows devices. +title: Enable memory integrity +description: This article explains the steps to opt in to using memory integrity on Windows devices. ms.prod: windows-client ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -12,7 +12,7 @@ ms.collection: - highpri - tier2 ms.topic: conceptual -ms.date: 12/16/2021 +ms.date: 03/16/2023 ms.reviewer: ms.technology: itpro-security --- @@ -20,41 +20,50 @@ ms.technology: itpro-security # Enable virtualization-based protection of code integrity **Applies to** + - Windows 10 - Windows 11 +- Windows Server 2016 or higher -This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11. -Some applications, including device drivers, may be incompatible with HVCI. -This incompatibility can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. -If these issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. +**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system. > [!NOTE] -> Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. +> Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. -## HVCI Features +> [!WARNING] +> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. -* HVCI protects modification of the Control Flow Guard (CFG) bitmap. -* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate. -* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. +> [!NOTE] +> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry. -## How to turn on HVCI in Windows 10 and Windows 11 +## Memory integrity features + +- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. +- Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate. + +## How to turn on memory integrity + +To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options: -To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware throughout an enterprise, use any of these options: - [Windows Security app](#windows-security-app) -- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) -- [Group Policy](#enable-hvci-using-group-policy) +- [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune) +- [Group Policy](#enable-memory-integrity-using-group-policy) - [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) -- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity) +- [Registry](#use-registry-keys-to-enable-memory-integrity) ### Windows Security app -HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). +**Memory integrity** can be turned on in the Windows Security app and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). -### Enable HVCI using Intune +Beginning with Windows 11 22H2, the Windows Security app shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within the Windows Security app. -Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog). +To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect. -### Enable HVCI using Group Policy +### Enable memory integrity using Intune + +Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog). + +### Enable memory integrity using Group Policy 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. @@ -62,17 +71,17 @@ Enabling in Intune requires using the Code Integrity node in the [Virtualization 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI can't be disabled remotely or select **Enabled without UEFI lock**. +4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity. - ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) + ![Enable memory integrity using Group Policy.](../images/enable-hvci-gp.png) -5. Click **Ok** to close the editor. +5. Select **Ok** to close the editor. To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. -### Use registry keys to enable virtualization-based protection of code integrity +### Use registry keys to enable memory integrity -Set the following registry keys to enable HVCI. These keys provide exactly the same set of configuration options provided by Group Policy. +Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy. @@ -80,13 +89,13 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s > > - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. > -> - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled. +> - If you select **Secure Boot with DMA**, memory integrity and the other VBS features will only be turned on for computers that support DMA. That is, for computers with IOMMUs only. Any computer without IOMMUs will not have VBS or memory integrity protection. > > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. #### For Windows 10 version 1607 and later and for Windows 11 version 21H2 -Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): +Recommended settings (to enable memory integrity without UEFI Lock): ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f @@ -100,9 +109,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` -If you want to customize the preceding recommended settings, use the following settings. +If you want to customize the preceding recommended settings, use the following registry keys. -**To enable VBS** +**To enable VBS only (no memory integrity)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f @@ -132,19 +141,19 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_D reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f ``` -**To enable virtualization-based protection of Code Integrity policies** +**To enable memory integrity** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f ``` -**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)** +**To enable memory integrity without UEFI lock (value 0)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` -**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)** +**To enable memory integrity with UEFI lock (value 1)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f @@ -152,7 +161,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE #### For Windows 10 version 1511 and earlier -Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): +Recommended settings (to enable memory integrity, without UEFI Lock): ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f @@ -184,34 +193,45 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` -**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** +**To enable memory integrity (with the default, UEFI lock)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f ``` -**To enable virtualization-based protection of Code Integrity policies without UEFI lock** +**To enable memory integrity without UEFI lock** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` -### Validate enabled Windows Defender Device Guard hardware-based security features +### Enable memory integrity using Windows Defender Application Control (WDAC) -Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: +You can use WDAC policy to turn on memory integrity using any of the following techniques: + +1. Use the [WDAC Wizard](https://aka.ms/wdacwizard) to create or edit your WDAC policy and select the option **Hypervisor-protected Code Integrity** on the **Policy Rules** page of the Wizard. +2. Use the [Set-HVCIOptions](/powershell/module/configci/set-hvcioptions) PowerShell cmdlet. +3. Edit your WDAC policy XML and modify the value set for the `` element. + +> [!NOTE] +> If your WDAC policy is set to turn memory integrity on, it will be turned on even if the policy is in audit mode. + +### Validate enabled VBS and memory integrity features + +Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: ```powershell Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. This value is reported for both Intel's *Mode-Based Execution Control* and AMD's *Guest Mode Execute Trap* capabilities. The output of this command provides details of the available hardware-based security features and those features that are currently enabled. #### AvailableSecurityProperties -This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard. +This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity. Value | Description -|- @@ -227,11 +247,11 @@ Value | Description #### InstanceIdentifier -A string that is unique to a particular device. Valid values are determined by WMI. +A string that is unique to a particular device and set by WMI. #### RequiredSecurityProperties -This field describes the required security properties to enable virtualization-based security. +This field describes the required security properties to enable VBS. Value | Description -|- @@ -246,25 +266,25 @@ Value | Description #### SecurityServicesConfigured -This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured. +This field indicates whether Windows Defender Credential Guard or memory integrity has been configured. Value | Description -|- **0.** | No services are configured. **1.** | If present, Windows Defender Credential Guard is configured. -**2.** | If present, HVCI is configured. +**2.** | If present, memory integrity is configured. **3.** | If present, System Guard Secure Launch is configured. **4.** | If present, SMM Firmware Measurement is configured. #### SecurityServicesRunning -This field indicates whether the Windows Defender Credential Guard or HVCI service is running. +This field indicates whether Windows Defender Credential Guard or memory integrity is running. Value | Description -|- **0.** | No services running. **1.** | If present, Windows Defender Credential Guard is running. -**2.** | If present, HVCI is running. +**2.** | If present, memory integrity is running. **3.** | If present, System Guard Secure Launch is running. **4.** | If present, SMM Firmware Measurement is running. @@ -286,43 +306,41 @@ Value | Description This field lists the computer name. All valid values for computer name. -Another method to determine the available and enabled virtualization-based security features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the virtualization-based security features are displayed at the bottom of the **System Summary** section. +Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section. :::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png"::: ## Troubleshooting -A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. +- If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. +- If you experience a critical error during boot or your system is unstable after turning on memory integrity, you can recover using the Windows Recovery Environment (Windows RE). + 1. First, disable any policies that are used to enable VBS and memory integrity, for example Group Policy. + 2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). + 3. After logging in to Windows RE, set the memory integrity registry key to off: -B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you're able to sign in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. + ```console + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f + ``` -C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. + 4. Finally, restart your device. -## How to turn off HVCI +> [!NOTE] +> If you turned on memory integrity with UEFI lock, you will need to disable Secure Boot to complete the Windows RE recovery steps. -1. Run the following command from an elevated prompt to set the HVCI registry key to off: +## Memory integrity deployment in virtual machines - ```console - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f - ``` +Memory integrity can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable memory integrity are the same from within the virtual machine. -1. Restart the device. - -1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. - -## HVCI deployment in virtual machines - -HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Application Control are the same from within the virtual machine. - -WDAC protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable WDAC for a virtual machine: +Memory integrity protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable memory integrity for a virtual machine: ```powershell Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` -### Requirements for running HVCI in Hyper-V virtual machines -- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment. -- Virtual Fibre Channel adapters aren't compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. -- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. +### Requirements for running memory integrity in Hyper-V virtual machines + +- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. +- Memory integrity and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment. +- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 25024c897f..09f6cce05f 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -9,7 +9,7 @@ ms.reviewer: manager: aaroncz ms.custom: asr ms.technology: itpro-security -ms.date: 12/31/2017 +ms.date: 03/16/2023 ms.topic: article --- @@ -18,30 +18,29 @@ ms.topic: article **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and higher -Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they behave more like mobile devices. In this configuration, Windows Defender Application Control (WDAC) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using hypervisor-protected code integrity (HVCI). +Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md). -WDAC policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices. +WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices. -Using Windows Defender Application Control to restrict devices to only authorized apps has these advantages over other solutions: +Using WDAC to restrict devices to only authorized apps has these advantages over other solutions: -1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. -2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows. -3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization's digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy. -4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important because an attacker that compromises the kernel could normally disable most system defenses, including those enforced by WDAC or any other application control solution. +1. The Windows kernel handles enforcement of WDAC policy and requires no other services or agents. +2. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. +3. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows. +4. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy. +5. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution. -## Why we no longer use the Device Guard brand +There are no direct dependencies between WDAC and memory integrity. You can deploy them individually or together and there's no order in which they must be deployed. -When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. This misled many people to assume that if systems couldn't use HVCI, they couldn't use WDAC either. +Memory integrity relies on Windows virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. -WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion. - -Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we now discuss and document Windows Defender Application Control as an independent technology within our security stack and gave it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md). -We hope this change will help us better communicate options for adopting application control within your organizations. +WDAC has no specific hardware or software requirements. ## Related articles - [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) -- [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) -- [Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) +- [Memory integrity](enable-virtualization-based-protection-of-code-integrity.md) +- [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 1d37a88d20..9e1561c2d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 02/27/2023 +ms.date: 03/16/2023 ms.technology: itpro-security --- @@ -36,7 +36,7 @@ When you create policies for use with Windows Defender Application Control (WDAC | **Example Base Policy** | **Description** | **Where it can be found** | |-------------------------|---------------------------------------------------------------|--------| | **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
        %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml | -| **AllowMicrosoft.xml** | This example policy is available in enforcement mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
        %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | +| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
        %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | | **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml | | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | From 381af7cc81e1d7642d2f421eb56f99ea4580811a Mon Sep 17 00:00:00 2001 From: Junkui Chen Date: Fri, 17 Mar 2023 18:02:37 +0800 Subject: [PATCH 082/101] add the adobe-target metadata for A/B testing --- browsers/edge/docfx.json | 1 + browsers/internet-explorer/docfx.json | 1 + education/docfx.json | 1 + store-for-business/docfx.json | 1 + windows/application-management/docfx.json | 1 + windows/client-management/docfx.json | 1 + windows/configuration/docfx.json | 1 + windows/deployment/docfx.json | 1 + windows/hub/docfx.json | 1 + windows/privacy/docfx.json | 1 + windows/security/docfx.json | 1 + windows/whats-new/docfx.json | 1 + 12 files changed, 12 insertions(+) diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index f021f6aafb..2205218007 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -29,6 +29,7 @@ "globalMetadata": { "uhfHeaderId": "MSDocsHeader-MSEdge", "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier3" ], diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 626d8e7d35..ed0fa381c5 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,6 +24,7 @@ ], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier3" ], diff --git a/education/docfx.json b/education/docfx.json index 993809eee6..8662cf333f 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -28,6 +28,7 @@ ], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.topic": "article", "ms.collection": [ "education", diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 4be7b72365..c0b85a8a1d 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 1c1b014b8d..76647fae53 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "ms.collection": [ "tier2" diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index ae506a8cb0..1fcb22e3c9 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 90a28bb7e6..ae433621cc 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 1387984499..066cd3ec04 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index c1b07ce9d8..92c7e04bad 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier1" ], diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 79774ab7cc..9527d8b80f 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 0310c13313..7591454011 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index bd292f17c7..e833279c7f 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], From c7685c70578f7a01f2a8f346bb2e91406e7d1422 Mon Sep 17 00:00:00 2001 From: Erik Parkkonen <61334012+SAINT-SCOBBERLOTCHER@users.noreply.github.com> Date: Fri, 17 Mar 2023 08:47:08 -0700 Subject: [PATCH 083/101] Update connect-to-remote-aadj-pc.md I added some new suggested verbiage to the page. Also some other feedback. - It took me a while to figure out that the Supported configurations table only applied to the Connect without Azure AD authentication section. Can you add a table or note to the Connect with Azure AD Authentication section that either enumerates all the credential types that are supported or that makes this more clear? To me it first made me think that credentials like FIDO2 security keys were not supported with Azure AD Authentication, but after testing I discovered that they are in fact supported. - Can you add notes about how long the RDP session lives by default. WIth Azure AD Authentication, even signing out of the remote desktop does not cause the user to reauth again when signing back in. The session length seems quite long. Maybe add a suggestion for CA Policy Session Controls to limit the session length also. - The App name/appID needed in the CA Policy isn't easy to find, so I put a specific mention of it in the page. --- windows/client-management/connect-to-remote-aadj-pc.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 2abfcd2135..be69216aa6 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -49,13 +49,14 @@ There's no requirement for the local device to be joined to a domain or Azure AD To connect to the remote computer: - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. -- Specify the name of the remote computer. +- Specify the **name** of the remote computer (IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.) - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). - When prompted for credentials, specify your user name in `user@domain.com` format. - You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. > [!IMPORTANT] -> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. +> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access Policies can be used to "Require multi-factor authentication", "Require authentication strength" and session controls like "Sign-in frequency" by applying the Conditional Access Policy to the specific application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** + ### Disconnection when the session is locked From 2a06b2ea7717f041083c86879421a8b485af9a7d Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 17 Mar 2023 14:32:02 -0400 Subject: [PATCH 084/101] Update connect-to-remote-aadj-pc.md --- .../client-management/connect-to-remote-aadj-pc.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index be69216aa6..32fe81be20 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -49,14 +49,17 @@ There's no requirement for the local device to be joined to a domain or Azure AD To connect to the remote computer: - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. -- Specify the **name** of the remote computer (IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.) - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). +- Specify the name of the remote computer and select **Connect**. + + > [!NOTE] + > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. + - When prompted for credentials, specify your user name in `user@domain.com` format. - You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. > [!IMPORTANT] -> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access Policies can be used to "Require multi-factor authentication", "Require authentication strength" and session controls like "Sign-in frequency" by applying the Conditional Access Policy to the specific application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** - +> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access. ### Disconnection when the session is locked @@ -88,7 +91,7 @@ To connect to the remote computer: ### Supported configurations -This table lists the supported configurations for remotely connecting to an Azure AD joined device: +This table lists the supported configurations for remotely connecting to an Azure AD joined device without using Azure AD authentication: | **Criteria** | **Client operating system** | **Supported credentials** | |--------------------------------------------|-----------------------------------|--------------------------------------------------------------------| From e71610444903fb963e14d57b1810d620b9fe5035 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20B=C3=A9langer?= <11839202+davidbel@users.noreply.github.com> Date: Fri, 17 Mar 2023 15:35:22 -0700 Subject: [PATCH 085/101] Learn Editor: Update connect-to-remote-aadj-pc.md --- .../connect-to-remote-aadj-pc.md | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 32fe81be20..b0f7106613 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,8 +22,8 @@ ms.technology: itpro-manage From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). -- Starting in Windows 10/11, with 2022-09 preview update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). - +- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). + ## Prerequisites - Both devices (local and remote) must be running a supported version of Windows. @@ -34,17 +34,19 @@ From its release, Windows has supported remote connections to devices joined to ## Connect with Azure AD Authentication -Azure AD Authentication can be used on the following operating systems: - -- Windows 11 with [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed. -- Windows 10, version 20H2 or later with [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed. -- Windows Server 2022 with [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed. +Azure AD Authentication can be used on the following operating systems for both the local and remote device: +- Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed. +- Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. +- Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. + There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. - Active Directory joined device. - Workgroup device. + +Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices. To connect to the remote computer: @@ -54,6 +56,7 @@ To connect to the remote computer: > [!NOTE] > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. + > The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device. - When prompted for credentials, specify your user name in `user@domain.com` format. - You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. @@ -103,7 +106,7 @@ This table lists the supported configurations for remotely connecting to an Azur > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). > [!NOTE] -> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through RDP resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. +> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. ## Add users to Remote Desktop Users group @@ -126,3 +129,5 @@ Remote Desktop Users group is used to grant users and groups permissions to remo ## Related articles [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) + + From e96f2751605477ed3b915b893fafe3f57304ddb4 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 17 Mar 2023 16:11:12 -0700 Subject: [PATCH 087/101] Update windows/client-management/connect-to-remote-aadj-pc.md --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index b0f7106613..42c1d58c19 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -106,7 +106,7 @@ This table lists the supported configurations for remotely connecting to an Azur > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). > [!NOTE] -> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. +> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. ## Add users to Remote Desktop Users group From 0964d37f99d256ef082d087cfbbc5ef62d341985 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 18 Mar 2023 07:17:58 -0700 Subject: [PATCH 088/101] Update introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md --- ...-based-security-and-windows-defender-application-control.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 09f6cce05f..4f36792ed9 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -23,6 +23,9 @@ ms.topic: article Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md). +> [!NOTE] +> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry. + WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices. Using WDAC to restrict devices to only authorized apps has these advantages over other solutions: From 8b11ac9cc315f8ea13606e1ac2f052bbd42e9e2f Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Sun, 19 Mar 2023 20:30:54 -0700 Subject: [PATCH 089/101] Clarify when certificates are re-validated The original wording implied that the client would trigger when the certificate expired. It doesn't; the client instead triggers whenever and at that point determines if the certificate has expired. --- .../identity-protection/vpn/vpn-conditional-access.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index e9af1d83a5..4e7d339c66 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -33,7 +33,7 @@ Conditional Access Platform components used for Device Compliance include the fo - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). -- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. +- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. @@ -125,4 +125,4 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) - [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) From 3e30d1f3037d0153b6682db76cf9e967c2d293e4 Mon Sep 17 00:00:00 2001 From: mudeeb <35724901+mudeeb@users.noreply.github.com> Date: Mon, 20 Mar 2023 12:51:55 +0300 Subject: [PATCH 090/101] Update hello-faq.yml PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed ====>must be change to ====>PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed. 8 to 2 this is the change --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 621663aecd..bb59a07821 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -109,7 +109,7 @@ sections: - The PIN 9630 has a constant delta of (7,7,7), so it isn't allowed - The PIN 1593 has a constant delta of (4,4,4), so it isn't allowed - The PIN 7036 has a constant delta of (3,3,3), so it isn't allowed - - The PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed + - The PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed - The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs. From 34c16a971936e362ccf8916576b72354a3eebff1 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Mon, 20 Mar 2023 15:49:46 +0100 Subject: [PATCH 091/101] Update event-4769.md Add details to some of the error logging details... --- windows/security/threat-protection/auditing/event-4769.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index e82434467c..d15a58aca9 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -194,7 +194,12 @@ The most common values: | 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | | 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. +Some errors are only reported when you set KdcExtraLogLevel per [Kerberos and KDC registry entries] (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) hexadecimal flag, OR-connected for multiple flags being set: +0x01: Audit SPN unknown errors. +0x10: Log audit events on encryption type (ETYPE) and bad options errors. + +The table below contains the list of the most common error codes for this event: | Code | Code Name | Description | Possible causes | |------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From 47a7c7eaafc683ac1e3ebcf834dc6cadba1ea241 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:07:57 -0400 Subject: [PATCH 092/101] Update windows/security/threat-protection/auditing/event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index d15a58aca9..ad744c30a8 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -195,7 +195,7 @@ The most common values: | 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | - **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. -Some errors are only reported when you set KdcExtraLogLevel per [Kerberos and KDC registry entries] (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) hexadecimal flag, OR-connected for multiple flags being set: +Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags: 0x01: Audit SPN unknown errors. 0x10: Log audit events on encryption type (ETYPE) and bad options errors. From c1053033ecea65d5d606c7daee8901005a361b80 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:08:04 -0400 Subject: [PATCH 093/101] Update windows/security/threat-protection/auditing/event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index ad744c30a8..f51f9708f8 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -196,7 +196,7 @@ The most common values: - **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags: -0x01: Audit SPN unknown errors. +- 0x01: Audit SPN unknown errors. 0x10: Log audit events on encryption type (ETYPE) and bad options errors. The table below contains the list of the most common error codes for this event: From 0c3889419f44154ef6d7fb813d5bd12861265ba9 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:08:10 -0400 Subject: [PATCH 094/101] Update windows/security/threat-protection/auditing/event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index f51f9708f8..98746150c6 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -197,7 +197,7 @@ The most common values: - **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags: - 0x01: Audit SPN unknown errors. -0x10: Log audit events on encryption type (ETYPE) and bad options errors. +- 0x10: Log audit events on encryption type (ETYPE) and bad options errors. The table below contains the list of the most common error codes for this event: From daee9cb7d3a41c012cec4265468d9464eecd96f5 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 20 Mar 2023 08:21:57 -0700 Subject: [PATCH 095/101] wufbr-upload-latency --- .../update/includes/wufb-reports-onboard-admin-center.md | 1 + windows/deployment/update/wufb-reports-enable.md | 1 + 2 files changed, 2 insertions(+) diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index 5bdb86a402..70c1948c7a 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -18,6 +18,7 @@ ms.localizationpriority: medium - The Azure subscription - The Log Analytics workspace 1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**. + - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts. > [!Note] > The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different. diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index 4cecd5ccdd..a02c8ece15 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -69,6 +69,7 @@ Use one of the following methods to enroll into Windows Update for Business repo > [!Tip] > If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports. 1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**. + - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. ##### Enroll through the Microsoft 365 admin center From f79dab126ab2c8c56b24191a39ac18ed41b727b2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:27:57 -0400 Subject: [PATCH 096/101] Refresh SmartScreen overview --- .../microsoft-defender-smartscreen-overview.md | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index ba53584a0f..dbb586c517 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -5,14 +5,14 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa ms.localizationpriority: high -ms.reviewer: +ms.reviewer: manager: aaroncz ms.technology: itpro-security adobe-target: true -ms.collection: +ms.collection: - tier2 - highpri -ms.date: 12/31/2017 +ms.date: 03/20/2023 ms.topic: article --- @@ -29,13 +29,11 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and **Microsoft Defender SmartScreen determines whether a site is potentially malicious by:** - Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. - - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. **Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** - Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. - - Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution. ## Benefits of Microsoft Defender SmartScreen @@ -43,15 +41,10 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/). - - **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. - - **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run. - - **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. - - **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). - - **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). > [!IMPORTANT] @@ -61,14 +54,14 @@ Microsoft Defender SmartScreen provide an early warning system against websites If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide). -When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. +When submitting a file for Microsoft Defender SmartScreen, make sure to select **Microsoft Defender SmartScreen** from the product menu. ![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png) ## Viewing Microsoft Defender SmartScreen anti-phishing events > [!NOTE] -> No SmartScreen events will be logged when using Microsoft Edge version 77 or later. +> No SmartScreen events are logged when using Microsoft Edge version 77 or later. When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). From 95221c17313bc7bf2b2cf006e01f061c75c6c3eb Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 20 Mar 2023 10:04:15 -0700 Subject: [PATCH 097/101] rearrange perms --- .../includes/wufb-reports-admin-center-permissions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index c77315543a..b132951a59 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -21,3 +21,9 @@ To enroll into Windows Update for Business reports, edit configuration settings, To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role: - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) + +**Log Analytics permissions**: + +The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: +- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries +- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data From eb8596a85132b591fd4f28fd46d3c720c183bc46 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 20 Mar 2023 10:16:36 -0700 Subject: [PATCH 098/101] rearrange perms --- windows/deployment/update/wufb-reports-prerequisites.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 0afb403c8d..fa6514d687 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -30,12 +30,6 @@ Before you begin the process of adding Windows Update for Business reports to yo [!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)] -**Log Analytics permissions**: - -The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: -- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries -- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data - ## Operating systems and editions - Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions From 0ab0223ba540b4bc0bdde87fcac811f497a5b6df Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 20 Mar 2023 10:50:29 -0700 Subject: [PATCH 099/101] broken links MAXADO-7714674 --- windows/whats-new/ltsc/whats-new-windows-10-2021.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index c6f1572c34..ccc6db0ea1 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -30,7 +30,7 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements ## Lifecycle > [!IMPORTANT] -> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle. +> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT Enterprise LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc) continues to have a [10 year lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle. For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232). @@ -227,7 +227,7 @@ Microsoft Edge Browser support is now included in-box. ### Microsoft Edge kiosk mode -Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2). +Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/windows-iot-enterprise-ltsc). Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available: - Digital/Interactive Signage experience - Displays a specific site in full-screen mode. From dc31693aa161900ce1d89298089ef85948abf8f9 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 20 Mar 2023 15:07:40 -0400 Subject: [PATCH 100/101] Clarify where VM can be hosted Clarified where VM can be hosted --- windows/deployment/vda-subscription-activation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 0b6ed5832d..bfd4b4c563 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,6 +1,7 @@ --- title: Configure VDA for Windows subscription activation description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario. +ms.reviewer: nganguly manager: aaroncz ms.author: frankroj author: frankroj @@ -37,7 +38,7 @@ Deployment instructions are provided for the following scenarios: ### Scenario 1 - The VM is running a supported version of Windows. -- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). +- The VM is hosted in Azure, an authorized outsourcer, or another Qualified Multitenant Hoster (QMTH). When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. From 12b377813868bc07a7aaa9834ba72680a7fbb627 Mon Sep 17 00:00:00 2001 From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com> Date: Tue, 21 Mar 2023 10:31:32 -0700 Subject: [PATCH 101/101] Update windows-11-se-overview.md --- education/windows/windows-11-se-overview.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 5744997054..f9adaaae34 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -90,19 +90,20 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | | `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` | | `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` | -| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` | -| `Class Policy` | 114.0.0 | Win32 | `Class Policy` | +| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` | +| `Class Policy` | 116.0.0 | Win32 | `Class Policy` | | `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | | `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | | `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | -| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` | +| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | | `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` | | `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` | | `Epson iProjection` | 3.31 | Win32 | `Epson` | | `eTests` | 4.0.25 | Win32 | `CASAS` | +| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` | | `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | | `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | @@ -116,6 +117,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` | | `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` | | `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` | +| `Keyman` | 16.0.138 | Win32 | `SIL International` | `Kortext` | 2.3.433.0 | `Store` | `Kortext` | | `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` | | `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` | @@ -125,7 +127,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | | `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | | `NAPLAN` | 2.5.0 | Win32 | `NAP` | -| `Netref Student` | 22.2.0 | Win32 | `NetRef` | +| `Netref Student` | 23.1.0 | Win32 | `NetRef` | | `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | | `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | | `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` | @@ -143,11 +145,11 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | | `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | | `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` | -| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` | +| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` | |`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | -| `WordQ` | 5.4.23 | Win32 | `Mathetmots` | +| `WordQ` | 5.4.23 | Win32 | `WordQ` | | `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | | `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` | | `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |