deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

resolve merge conflict

Browse Source
This commit is contained in:
Aaron Czechowski 2023-03-21 12:52:09 -07:00
commit 0a2d9c93f9
102 changed files with 1358 additions and 2243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn
View File

@ -1,4 +1,4 @@
{:allowed-branchname-matches ["main"]
{:allowed-branchname-matches ["main" "release-.*"]
:allowed-filename-matches ["windows/"]
:targets

91
.openpublishing.redirection.json
View File

@ -19697,7 +19697,12 @@
},
{
"source_path": "windows/client-management/mdm/change-history-for-mdm-documentation.md",
"redirect_url": "/windows/client-management/change-history-for-mdm-documentation",
"redirect_url": "/windows/client-management/new-in-windows-mdm-enrollment-management",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/change-history-for-mdm-documentation.md",
"redirect_url": "/windows/client-management/new-in-windows-mdm-enrollment-management",
"redirect_document_id": false
},
{
@ -19944,8 +19949,8 @@
"source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md",
"redirect_url": "/windows/client-management/wmi-providers-supported-in-windows",
"redirect_document_id": false
},
{
},
{
"source_path": "windows/deployment/do/mcc-enterprise.md",
"redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache",
"redirect_document_id": false
@ -20055,6 +20060,81 @@
"redirect_url": "/troubleshoot/windows-client/welcome-windows-client",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/management-tool-for-windows-store-for-business.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/rest-api-reference-windows-store-for-business.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/data-structures-windows-store-for-business.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-inventory.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-product-details.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-localized-product-details.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-offline-license.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-product-packages.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-product-package.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-seats.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-seat.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/assign-seats.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/reclaim-seat-from-user.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/bulk-assign-and-reclaim-seats-from-user.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/get-seats-assigned-to-a-user.md",
"redirect_url": "https://aka.ms/windows/msfb_evolution",
"redirect_document_id": false
},
{
"source_path": "education/windows/set-up-school-pcs-shared-pc-mode.md",
"redirect_url": "/windows/configuration/set-up-shared-or-guest-pc",
@ -20654,6 +20734,11 @@
"source_path": "windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md",
"redirect_url": "https://aka.ms/AzureCodeSigning",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md",
"redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy",
"redirect_document_id": true
}
]
}

2
browsers/edge/docfx.json
View File

@ -27,7 +27,9 @@
}
],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-MSEdge",
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier3"
],

1
browsers/internet-explorer/docfx.json
View File

@ -24,6 +24,7 @@
],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier3"
],

1
education/docfx.json
View File

@ -28,6 +28,7 @@
],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.topic": "article",
"ms.collection": [
"education",

13
education/includes/education-content-updates.md
View File

@ -2,6 +2,19 @@
## Week of March 06, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 3/8/2023 | Change to Windows 10 Education from Windows 10 Pro | removed |
| 3/8/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 3/8/2023 | Enable S mode on Surface Go devices for Education | removed |
| 3/8/2023 | Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode | removed |
| 3/8/2023 | Test Windows 10 in S mode on existing Windows 10 education devices | removed |
| 3/9/2023 | [Windows for Education documentation](/education/windows/index) | modified |
## Week of February 27, 2023

2
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
ms.date: 02/24/2023
ms.date: 03/15/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

4
education/windows/get-minecraft-for-education.md
View File

@ -112,7 +112,9 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
1. Under *App type*, select **Microsoft Store app (new)** and choose **Select**
1. Select **Search the Microsoft Store app (new)** and search for **Minecraft Education**
1. Select the app and choose **Select**
1. On the *App information* screen, select **Next**
1. On the *App information* screen, select the *install behavior*, then select **Next**
- *System* means install for all users (recommended for most scenarios)
- *User* means only install for the targeted user or current user of a device
1. On the *Assignments* screen, choose how you want to target the installation of Minecraft Education
- *Required* means that Intune installs the app without user interaction
- *Available* enables Minecraft Education in the Company Portal, where users can install the app on-demand

2
education/windows/includes/intune-custom-settings-1.md
View File

@ -7,7 +7,7 @@ ms.topic: include
To configure devices with Microsoft Intune, use a custom policy:
1. Go to the <a href="https://intune.micorsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
2. Select **Devices > Configuration profiles > Create profile**
3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
4. Select **Create**

14
education/windows/windows-11-se-overview.md
View File

@ -90,19 +90,20 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` |
| `Class Policy` | 116.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` |
| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
@ -116,6 +117,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
| `Keyman` | 16.0.138 | Win32 | `SIL International`
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
@ -125,7 +127,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
| `Netref Student` | 23.1.0 | Win32 | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
@ -143,11 +145,11 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
| `WordQ` | 5.4.23 | Win32 | `WordQ` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |

1
store-for-business/docfx.json
View File

@ -32,6 +32,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],

1
windows/application-management/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"ms.collection": [
"tier2"

47
windows/client-management/assign-seats.md
View File

@ -1,47 +0,0 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Assign seat
The **Assign seat** operation assigns seat for a specified user in the Microsoft Store for Business.
## Request
**POST:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br>Reason: Invalid parameter<br>Details: String|Invalid can include productId, skuId or userName|
|404|Not found||Item type: Inventory, User, Seat<br> <br>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName|ItemType: Inventory User Seat<br> <br>Values: ProductId/SkuId UserName ProductId/SkuId/UserName|
|409|Conflict||Reason: Not online||

48
windows/client-management/bulk-assign-and-reclaim-seats-from-user.md
View File

@ -1,48 +0,0 @@
---
title: Bulk assign and reclaim seats from users
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Bulk assign and reclaim seats from users
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Microsoft Store for Business.
## Request
**POST**:
```http
https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
|seatAction|[SeatAction](data-structures-windows-store-for-business.md#seataction) ||
## Response
### Response body
The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset).
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|404|Not found||Item type: Inventory<br> Values: ProductId/SkuId|

317
windows/client-management/change-history-for-mdm-documentation.md
View File

@ -1,317 +0,0 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
ms.localizationpriority: medium
ms.date: 11/06/2020
---
# Change history for Mobile Device Management documentation
As of November 2020 This page will no longer be updated. This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those articles that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues aren't listed.
## November 2020
|New or updated article | Description|
|--- | ---|
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:<br>- [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#browseralttabblowout) |
| [SurfaceHub CSP](mdm/surfacehub-csp.md) | Added the following new node:<br>-Properties/SleepMode |
## October 2020
|New or updated article | Description|
|--- | ---|
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies<br>- [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#disablecloudoptimizedcontent)<br>- [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#configure)<br>- [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays)<br>- [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#brightnessbuttondisabled)<br>- [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#fallbackdiagnostics)<br>- [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#microphonedisabled)<br>- [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#volumebuttondisabled)<br>- [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#disablewufbsafeguards)<br>- [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#allowaudioinput)<br>- [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#allowclipboardredirection)<br>- [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#allownetworking)<br>- [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#allowprinterredirection)<br>- [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#allowvgpu)<br>- [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#allowvideoinput) |
## September 2020
|New or updated article | Description|
|--- | ---|
|[NetworkQoSPolicy CSP](mdm/networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
|[Policy CSP - LocalPoliciesSecurityOptions](mdm/policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
## August 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - System](mdm/policy-csp-system.md)|Removed the following policy settings:<br> - System/AllowDesktopAnalyticsProcessing <br>- System/AllowMicrosoftManagedDesktopProcessing <br> - System/AllowUpdateComplianceProcessing<br> - System/AllowWUfBCloudProcessing <br>|
## July 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings:<br> - System/AllowDesktopAnalyticsProcessing <br>- System/AllowMicrosoftManagedDesktopProcessing <br> - System/AllowUpdateComplianceProcessing<br> - System/AllowWUfBCloudProcessing <br> <br><br>Updated the following policy setting:<br>- <a href="mdm/policy-csp-system.md#allowcommercialdatapipeline" id="system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a> <br>|
## June 2020
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
|[Policy CSP - NetworkIsolation](mdm/policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
## May 2020
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.|
|[Policy CSP - RestrictedGroups](mdm/policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table.
## February 2020
|New or updated article | Description|
|--- | ---|
|[CertificateStore CSP](mdm/certificatestore-csp.md)<br>[ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md)|Added details about SubjectName value.|
## January 2020
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Defender](mdm/policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
## November 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeliveryOptimization](mdm/policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
|[DiagnosticLog CSP](mdm/diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
## October 2019
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
|[Defender CSP](mdm/defender-csp.md)|Added the following new nodes:<br>Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
## September 2019
|New or updated article | Description|
|--- | ---|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added the following new node:<br>IsStub.|
|[Policy CSP - Defender](mdm/policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
|[Policy CSP - DeviceInstallation](mdm/policy-csp-deviceinstallation.md)|Added the following new policies: <br>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
## August 2019
|New or updated article | Description|
|--- | ---|
|[DiagnosticLog CSP](mdm/diagnosticlog-csp.md)<br>[DiagnosticLog DDF](mdm/diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include more reference links and the following two topics:<br>Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
## July 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following list:<br>Policies supported by HoloLens 2|
|[ApplicationControl CSP](mdm/applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
|[PassportForWork CSP](mdm/passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:<br>SecurityKey, SecurityKey/UseSecurityKeyForSignin|
|[Policy CSP - Privacy](mdm/policy-csp-privacy.md)|Added the following new policies:<br>LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs isn't currently supported:<br>Create a custom configuration service provider<br>Design a custom configuration service provider<br>IConfigServiceProvider2<br>IConfigServiceProvider2::ConfigManagerNotification<br>IConfigServiceProvider2::GetNode<br>ICSPNode<br>ICSPNode::Add<br>ICSPNode::Clear<br>ICSPNode::Copy<br>ICSPNode::DeleteChild<br>ICSPNode::DeleteProperty<br>ICSPNode::Execute<br>ICSPNode::GetChildNodeNames<br>ICSPNode::GetProperty<br>ICSPNode::GetPropertyIdentifiers<br>ICSPNode::GetValue<br>ICSPNode::Move<br>ICSPNode::SetProperty<br>ICSPNode::SetValue<br>ICSPNodeTransactioning<br>ICSPValidate<br>Samples for writing a custom configuration service provider.|
## June 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeviceHealthMonitoring](mdm/policy-csp-devicehealthmonitoring.md)|Added the following new policies:<br>AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.|
|[Policy CSP - TimeLanguageSettings](mdm/policy-csp-timelanguagesettings.md)|Added the following new policy:<br>ConfigureTimeZone.|
## May 2019
|New or updated article | Description|
|--- | ---|
|[DeviceStatus CSP](mdm/devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
|[EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
|[Policy CSP - DeliveryOptimization](mdm/policy-csp-deliveryoptimization.md)|Added the following new policies:<br> DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.<br><br>Updated description of the following policies:<br>DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
|[Policy CSP - Experience](mdm/policy-csp-experience.md)|Added the following new policy:<br>ShowLockOnUserTile.|
|[Policy CSP - InternetExplorer](mdm/policy-csp-internetexplorer.md)|Added the following new policies:<br>AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
|[Policy CSP - Power](mdm/policy-csp-power.md)|Added the following new policies:<br>EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
|[Policy CSP - Search](mdm/policy-csp-search.md)|Added the following new policy:<br>AllowFindMyFiles.|
|[Policy CSP - ServiceControlManager](mdm/policy-csp-servicecontrolmanager.md)|Added the following new policy:<br>SvchostProcessMitigation.|
|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policies:<br>AllowCommercialDataPipeline, TurnOffFileHistory.|
|[Policy CSP - Troubleshooting](mdm/policy-csp-troubleshooting.md)|Added the following new policy:<br>AllowRecommendations.|
|[Policy CSP - Update](mdm/policy-csp-update.md)|Added the following new policies:<br>AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
|[Policy CSP - WindowsLogon](mdm/policy-csp-windowslogon.md)|Added the following new policies:<br>AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.<br><br>Removed the following policy:<br>SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.|
## April 2019
| New or updated article | Description |
|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:<br>Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it doesn't. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
| [Policy CSP - UserRights](mdm/policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (<![CDATA[...]]>) to wrap the data fields. |
## March 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Storage](mdm/policy-csp-storage.md)|Updated ADMX Info of the following policies:<br>AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold. <br><br>Updated description of ConfigStorageSenseDownloadsCleanupThreshold.|
## February 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Updated supported policies for Holographic.|
## January 2019
|New or updated article | Description|
|--- | ---|
|[Policy CSP - Storage](mdm/policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
|[SharedPC CSP](mdm/sharedpc-csp.md)|Updated values and supported operations.|
|[Mobile device management](mdm/index.yml)|Updated information about MDM Security Baseline.|
## December 2018
|New or updated article | Description|
|--- | ---|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
## September 2018
|New or updated article | Description|
|--- | ---|
|[Policy CSP - DeviceGuard](mdm/policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
|New or updated article|Description|
|--- |--- |
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added support for Windows 10 Pro starting in the version 1809.|
|[Office CSP](mdm/office-csp.md)|Added FinalStatus setting in Windows 10, version 1809.|
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
|[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<br/><br/>Start/DisableContextMenus - added in Windows 10, version 1803.<br/><br/>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
## July 2018
|New or updated article|Description|
|--- |--- |
|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Added the following note:<br/><br/>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile doesn't support domain groups.|
|[PassportForWork CSP](mdm/passportforwork-csp.md)|Added new settings in Windows 10, version 1809.|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.|
|[Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.|
|[WindowsLicensing CSP](mdm/windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.|
|[SUPL CSP](mdm/supl-csp.md)|Added three new certificate nodes in Windows 10, version 1809.|
|[Defender CSP](mdm/defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.|
|[DevDetail CSP](mdm/devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>ApplicationManagement/LaunchAppAfterLogOn<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures <li>Authentication/EnableFastFirstSignIn (Preview mode only)<li>Authentication/EnableWebSignIn (Preview mode only)<li>Authentication/PreferredAadTenantDomainName<li>Defender/CheckForSignaturesBeforeRunningScan<li>Defender/DisableCatchupFullScan <li>Defender/DisableCatchupQuickScan <li>Defender/EnableLowCPUPriority<li>Defender/SignatureUpdateFallbackOrder<li>Defender/SignatureUpdateFileSharesSources<li>DeviceGuard/ConfigureSystemGuardLaunch<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<li>DeviceInstallation/PreventDeviceMetadataFromNetwork<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<li>DmaGuard/DeviceEnumerationPolicy<li>Experience/AllowClipboardHistory<li>Security/RecoveryEnvironmentAuthentication<li>TaskManager/AllowEndTask<li>WindowsDefenderSecurityCenter/DisableClearTpmButton<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<li>WindowsLogon/DontDisplayNetworkSelectionUI<br/><br/>Recent changes:<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.|
## June 2018
|New or updated article|Description|
|--- |--- |
|[Wifi CSP](mdm/wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.|
|[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:<li>Added procedure for collecting logs remotely from Windows 10 Holographic.<li>Added procedure for downloading the MDM Diagnostic Information log.|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Recent changes:<li>AccountPoliciesAccountLockoutPolicy<li>AccountLockoutDuration - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.<li>System/AllowFontProviders isn't supported in HoloLens (first gen) Commercial Suite.<li>Security/RequireDeviceEncryption is supported in the Home SKU.<li>Start/StartLayout - added a table of SKU support information.<li>Start/ImportEdgeAssets - added a table of SKU support information.<br/><br/>Added the following new policies in Windows 10, version 1809:<li>Update/EngagedRestartDeadlineForFeatureUpdates<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<li>Update/SetDisablePauseUXAccess<li>Update/SetDisableUXWUAccess|
|[WiredNetwork CSP](mdm/wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.|
## May 2018
|New or updated article|Description|
|--- |--- |
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
## April 2018
|New or updated article|Description|
|--- |--- |
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](mdm/networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](mdm/accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[CSP DDF files download](mdm/configuration-service-provider-ddf.md)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|
## March 2018
|New or updated article|Description|
|--- |--- |
|[eUICCs CSP](mdm/euiccs-csp.md)|Added the following node in Windows 10, version 1803:<li>IsEnabled|
|[DeviceStatus CSP](mdm/devicestatus-csp.md)|Added the following node in Windows 10, version 1803:<li>OS/Mode|
|[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:<li>[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)<li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)|
|[AccountManagement CSP](mdm/accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[RootCATrustedCertificates CSP](mdm/rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:<li>UntrustedCertificates|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>ApplicationDefaults/EnableAppUriHandlers<li>ApplicationManagement/MSIAllowUserControlOverInstall<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges<li>Connectivity/AllowPhonePCLinking<li>Notifications/DisallowCloudNotification<li>Notifications/DisallowTileNotification<li>RestrictedGroups/ConfigureGroupMembership<br/><br/>The following existing policies were updated:<li>Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.<br/><br/>Added a new section:<li>[[Policies in Policy CSP supported by Group Policy](mdm/policies-in-policy-csp-supported-by-group-policy.md) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#servicesallowedlist-usage-guide).|
|[MultiSIM CSP](mdm/multisim-csp.md)|Added SyncML examples and updated the settings descriptions.|
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.|
## February 2018
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Display/DisablePerProcessDpiForApps<li>Display/EnablePerProcessDpi<li>Display/EnablePerProcessDpiForApps<li>Experience/AllowWindowsSpotlightOnSettings<li>TextInput/ForceTouchKeyboardDockedState<li>TextInput/TouchKeyboardDictationButtonAvailability<li>TextInput/TouchKeyboardEmojiButtonAvailability<li>TextInput/TouchKeyboardFullModeAvailability<li>TextInput/TouchKeyboardHandwritingModeAvailability<li>TextInput/TouchKeyboardNarrowModeAvailability<li>TextInput/TouchKeyboardSplitModeAvailability<li>TextInput/TouchKeyboardWideModeAvailability|
|[VPNv2 ProfileXML XSD](mdm/vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.|
|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Status<li>ShellLauncher<li>StatusConfiguration<br/><br/>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (first gen) Commercial Suite. Added example for HoloLens (first gen) Commercial Suite.|
|[MultiSIM CSP](mdm/multisim-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:<li>MaintainProcessorArchitectureOnUpdate|
## January 2018
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Browser/AllowConfigurationUpdateForBooksLibrary<li>Browser/AlwaysEnableBooksLibrary<li>Browser/EnableExtendedBooksTelemetry<li>Browser/UseSharedFolderForBooks<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp<li>DeliveryOptimization/DOGroupIdSource<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth<li>DeliveryOptimization/DORestrictPeerSelectionBy<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth<li>KioskBrowser/BlockedUrlExceptions<li>KioskBrowser/BlockedUrls<li>KioskBrowser/DefaultURL<li>KioskBrowser/EnableHomeButton<li>KioskBrowser/EnableNavigationButtons<li>KioskBrowser/RestartOnIdleTime<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode<li>RestrictedGroups/ConfigureGroupMembership<li>Search/AllowCortanaInAAD<li>Search/DoNotUseWebResults<li>Security/ConfigureWindowsPasswords<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode<li>TaskScheduler/EnableXboxGameSaveTask<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode<li>Update/ConfigureFeatureUpdateUninstallPeriod<li>UserRights/AccessCredentialManagerAsTrustedCaller<li>UserRights/AccessFromNetwork<li>UserRights/ActAsPartOfTheOperatingSystem<li>UserRights/AllowLocalLogOn<li>UserRights/BackupFilesAndDirectories<li>UserRights/ChangeSystemTime<li>UserRights/CreateGlobalObjects<li>UserRights/CreatePageFile<li>UserRights/CreatePermanentSharedObjects<li>UserRights/CreateSymbolicLinks<li>UserRights/CreateToken<li>UserRights/DebugPrograms<li>UserRights/DenyAccessFromNetwork<li>UserRights/DenyLocalLogOn<li>UserRights/DenyRemoteDesktopServicesLogOn<li>UserRights/EnableDelegation<li>UserRights/GenerateSecurityAudits<li>UserRights/ImpersonateClient<li>UserRights/IncreaseSchedulingPriority<li>UserRights/LoadUnloadDeviceDrivers<li>UserRights/LockMemory<li>UserRights/ManageAuditingAndSecurityLog<li>UserRights/ManageVolume<li>UserRights/ModifyFirmwareEnvironment<li>UserRights/ModifyObjectLabel<li>UserRights/ProfileSingleProcess<li>UserRights/RemoteShutdown<li>UserRights/RestoreFilesAndDirectories<li>UserRights/TakeOwnership<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery<li>WindowsDefenderSecurityCenter/HideSecureBoot<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting<br/><br/>Added the following policies in Windows 10, version 1709<li>DeviceLock/MinimumPasswordAge<li>Settings/AllowOnlineTips<li>System/DisableEnterpriseAuthProxy<br/><br/>Security/RequireDeviceEncryption - updated to show it's supported in desktop.|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.|
|[EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.|
|[DMClient CSP](mdm/dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:<li>AADSendDeviceToken<li>BlockInStatusPage<li>AllowCollectLogsButton<li>CustomErrorText<li>SkipDeviceStatusPage<li>SkipUserStatusPage|
|[Defender CSP](mdm/defender-csp.md)|Added new node (OfflineScan) in Windows 10, version 1803.|
|[UEFI CSP](mdm/uefi-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[Update CSP](mdm/update-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Rollback<li>Rollback/FeatureUpdate<li>Rollback/QualityUpdateStatus<li>Rollback/FeatureUpdateStatus|
## December 2017
|New or updated article|Description|
|--- |--- |
|[Configuration service provider reference](mdm/index.yml)|Added new section [CSP DDF files download](mdm/configuration-service-provider-ddf.md)|
## November 2017
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:<li>Authentication/AllowFidoDeviceSignon<li>Cellular/LetAppsAccessCellularData<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps<li>Start/HidePeopleBar<li>Storage/EnhancedStorageDevices<li>Update/ManagePreviewBuilds<li>WirelessDisplay/AllowMdnsAdvertisement<li>WirelessDisplay/AllowMdnsDiscovery<br/><br/>Added missing policies from previous releases:<li>Connectivity/DisallowNetworkConnectivityActiveTest<li>Search/AllowWindowsIndexer|
## October 2017
| New or updated article | Description |
| --- | --- |
| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:<br/><br/>- Defender/ControlledFolderAccessAllowedApplications - string separator is `|` <br/>- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
| [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
| [DMClient CSP](mdm/dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. |
## September 2017
|New or updated article|Description|
|--- |--- |
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Authentication/AllowAadPasswordReset<li>Handwriting/PanelDefaultModeDocked<li>Search/AllowCloudSearch<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics<br/><br/>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.|
|[AssignedAccess CSP](mdm/assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.|
|Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.|
|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.<li>DomainName - fully qualified domain name if the device is domain-joined.<br/><br/>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.|
|[EnterpriseAPN CSP](mdm/enterpriseapn-csp.md)|Added a SyncML example.|
|[VPNv2 CSP](mdm/vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.|
|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:<li>User sees installation progress of critical policies during MDM enrollment.<li>User knows what policies, profiles, apps MDM has configured<li>IT helpdesk can get detailed MDM diagnostic information using client tools<br/><br/>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)|
## August 2017
|New or updated article|Description|
|--- |--- |
|[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.|
|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<br/><br/>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
|[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
|[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:<li> 0 (default) Off / No protection (decrypts previously protected data).<li> 1 Silent mode (encrypt and audit only).<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).|
|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allowlist-examples).|
|[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:<li>Provider/ProviderID/ConfigInfo<li> Provider/ProviderID/EnrollmentInfo|
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
|[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<br/><br/>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<br/><br/>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<br/><br/>Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).<br/><br/>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|

143
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -1,94 +1,133 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
title: Connect to remote Azure Active Directory joined device (Windows)
description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.date: 01/18/2022
ms.reviewer:
manager: aaroncz
ms.topic: article
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
---
# Connect to remote Azure Active Directory-joined PC
# Connect to remote Azure Active Directory joined device
From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP.
**Applies to**
- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
- Windows 10
- Windows 11
## Prerequisites
- Both devices (local and remote) must be running a supported version of Windows.
- Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**.
- It's recommended to select **Require devices to use Network Level Authentication to connect** option.
- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device.
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
## Connect with Azure AD Authentication
![Remote Desktop Connection client.](images/rdp.png)
Azure AD Authentication can be used on the following operating systems for both the local and remote device:
## Set up
- Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
- Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
- Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
- Active Directory joined device.
- Workgroup device.
- On the PC you want to connect to:
Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices.
1. Open system properties for the remote PC.
To connect to the remote computer:
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
- Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files).
- Specify the name of the remote computer and select **Connect**.
![Allow remote connections to this computer.](images/allow-rdp.png)
> [!NOTE]
> IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.
> The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device.
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
- When prompted for credentials, specify your user name in `user@domain.com` format.
- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
- Adding users manually
> [!IMPORTANT]
> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.
You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
```powershell
net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
### Disconnection when the session is locked
In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example:
- for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*" </br>
The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
> [!NOTE]
> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
>
> Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.
- Adding users using policy
## Connect without Azure AD Authentication
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
> [!NOTE]
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials).
## Supported configurations
The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC:
| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device |
| - | - | - | - |
| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above |
| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust |
By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from:
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
To connect to the remote computer:
- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
- Specify the name of the remote computer.
- When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format.
> [!TIP]
> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**.
> [!NOTE]
> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection.
> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
## Related topics
### Supported configurations
This table lists the supported configurations for remotely connecting to an Azure AD joined device without using Azure AD authentication:
| **Criteria** | **Client operating system** | **Supported credentials** |
|--------------------------------------------|-----------------------------------|--------------------------------------------------------------------|
| RDP from **Azure AD registered device** | Windows 10, version 2004 or later | Password, smart card |
| RDP from **Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
> [!NOTE]
> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
## Add users to Remote Desktop Users group
Remote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies:
- **Adding users manually**:
You can specify individual Azure AD accounts for remote connections by running the following command, where `<userUPN>` is the UPN of the user, for example `user@domain.com`:
```cmd
net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"
```
In order to execute this command, you must be a member of the local Administrators group. Otherwise, you may see an error similar to `There is no such global user or group: <name>`.
- **Adding users using policy**:
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
## Related articles
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

312
windows/client-management/data-structures-windows-store-for-business.md
View File

@ -1,312 +0,0 @@
---
title: Data structures for Microsoft Store for Business
description: Learn about the various data structures for Microsoft Store for Business.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_data\_structures'
- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Data structures for Microsoft Store for Business
Here's the list of data structures used in the Microsoft Store for Business REST APIs:
- [AlternateIdentifier](#alternateidentifier)
- [BulkSeatOperationResultSet](#bulkseatoperationresultset)
- [FailedSeatRequest](#failedseatrequest)
- [FrameworkPackageDetails](#frameworkpackagedetails)
- [InventoryDistributionPolicy](#inventorydistributionpolicy)
- [InventoryEntryDetails](#inventoryentrydetails)
- [InventoryResultSet](#inventoryresultset)
- [InventoryStatus](#inventorystatus)
- [LicenseType](#licensetype)
- [LocalizedProductDetail](#localizedproductdetail)
- [OfflineLicense](#offlinelicense)
- [PackageContentInfo](#packagecontentinfo)
- [PackageLocation](#packagelocation)
- [ProductArchitectures](#productarchitectures)
- [ProductDetails](#productdetails)
- [ProductImage](#productimage)
- [ProductKey](#productkey)
- [ProductPackageDetails](#productpackagedetails)
- [ProductPackageFormat](#productpackageformat)
- [ProductPackageSet](#productpackageset)
- [ProductPlatform](#productplatform)
- [PublisherDetails](#publisherdetails)
- [SeatAction](#seataction)
- [SeatDetails](#seatdetails)
- [SeatDetailsResultSet](#seatdetailsresultset)
- [SeatState](#seatstate)
- [SupportedProductPlatform](#supportedproductplatform)
- [VersionInfo](#versioninfo)
## AlternateIdentifier
Specifies the properties of the alternate identifier.
|Name|Type|Description|
|--- |--- |--- |
|Type|String|LegacyWindowStoreProductId, LegacyWindowsPhoneProductId, RedirectToThresholdProductId|
|Value|String||
## BulkSeatOperationResultSet
|Name|Type|
|--- |--- |
|seatDetails|Collection of [SeatDetails](#seatdetails)|
|failedSeatOperations|Collection of [FailedSeatRequest](#failedseatrequest)|
## FailedSeatRequest
|Name|Type|
|--- |--- |
|failureReason|String|
|productKey|[ProductKey](#productkey)|
|userName|String|
## FrameworkPackageDetails
|Name|Type|Description|
|--- |--- |--- |
|packageId|String||
|contentId|String|Identifies a specific application.|
|Location|[PackageLocation](#packagelocation)||
|packageFullName|String||
|packageIdentityName|String||
|Architectures|Collection of [ProductArchitectures](#productarchitectures)||
|packageFormat|[ProductPackageFormat](#productpackageformat)||
|Platforms|Collection of [ProductPlatform](#productplatform)||
|fileSize|integer-64|Size of the file.|
|packageRank|integer-32|Optional|
## InventoryDistributionPolicy
|Name|Description|
|--- |--- |
|Open|Open distribution policy - licenses/seats can be assigned/consumed without limit|
|Restricted|Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count|
## InventoryEntryDetails
|Name|Type|Description|
|--- |--- |--- |
|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
|seatCapacity|integer-64|Total number of seats that have been purchased for an application.|
|availableSeats|integer-64|Number of available seats remaining for an application.|
|lastModified|dateTime|Specifies the last modified date for an application. Modifications for an application include updated product details, updates to an application, and updates to the quantity of an application.|
|licenseType|[LicenseType](#licensetype)|Indicates whether the set of seats for a given application supports online or offline licensing.|
|distributionPolicy|[InventoryDistributionPolicy](#inventorydistributionpolicy)||
|status|[InventoryStatus](#inventorystatus)||
## InventoryResultSet
|Name|Type|Description|
|--- |--- |--- |
|continuationToken|String|Only available if there is a next page.|
|inventoryEntries|Collection of [InventoryEntryDetails](#inventoryentrydetails)||
## InventoryStatus
|Name|Description|
|--- |--- |
|Active|Entry is available in the organizations inventory.|
|Removed|Entry has been removed from the organizations inventory.|
## LicenseType
|Name|Description|
|--- |--- |
|Online|Online license application.|
|Offline|Offline license application.|
## LocalizedProductDetail
Specifies the properties of the localized product.
|Name|Type|Description|
|--- |--- |--- |
|Language|String|Language or fallback language if the specified language is not available.|
|displayName|String|Display name of the application.|
|Description|String|App description provided by developer can be up to 10,000 characters.|
|Images|Collection of [ProductImage](#productimage)|Artwork and icon associated with the application.|
|Publisher|[PublisherDetails](#publisherdetails)|Publisher of the application.|
## OfflineLicense
|Name|Type|Description|
|--- |--- |--- |
|productKey|[ProductKey](#productkey)|Identifies a set of seats associated with an application.|
|licenseBlob|String|Base-64 encoded offline license that can be installed via a CSP.|
|licenseInstanceId|String|Version of the license.|
|requestorId|String|Organization requesting the license.|
|contentId|String|Identifies the specific license required by an application.|
## PackageContentInfo
|Name|Type|
|--- |--- |
|productPlatforms|Collection of ProductPlatform|
|packageFormat|String|
## PackageLocation
|Name|Type|Description|
|--- |--- |--- |
|Url|URI|CDN location of the packages. URL expiration is based on the estimated time to download the package.|
## ProductArchitectures
|Name|
|--- |
|Neutral|
|Arm|
|x86|
|x64|
## ProductDetails
|Name|Type|Description|
|--- |--- |--- |
|productKey|[ProductKey](#productkey)|Identifier used on subsequent requests to get more content including product descriptions, offline license, and download URLs.|
|productType|String|Type of product.|
|supportedLanguages|Collection of string|The set of localized languages for an application.|
|publisherId|String|Publisher identifier.|
|Category|String|Application category.|
|alternateIds|Collection of [AlternateIdentifier](#alternateidentifier)|The identifiers that can be used to instantiate the installation of on online application.|
|packageFamilyName|String||
|supportedPlatforms|Collection of [ProductPlatform](#productplatform)||
## ProductImage
Specifies the properties of the product image.
|Name|Type|Description|
|--- |--- |--- |
|location|URI|Location of the download image.|
|purpose|string|Tag for the image, for example "screenshot" or "logo".|
|height|string|Height of the image in pixels.|
|width|string|Width of the image in pixels.|
|caption|string|Unlimited length.|
|backgroundColor|string|Format "#RRGGBB"|
|foregroundColor|string|Format "#RRGGBB"|
|fileSize|integer-64|Size of the file.|
## ProductKey
Specifies the properties of the product key.
|Name|Type|Description|
|--- |--- |--- |
|productId|String|Product identifier for an application that is used by the Store for Business.|
|skuId|String|Product identifier that specifies a specific SKU of an application.|
## ProductPackageDetails
|Name|Type|Description|
|--- |--- |--- |
|frameworkDependencyPackages|Collection of [FrameworkPackageDetails](#frameworkpackagedetails)||
|packageId|String||
|contentId|String|Identifies a specific application.|
|Location|[PackageLocation](#packagelocation)||
|packageFullName|String|Example, Microsoft.BingTranslator_1.1.10917.2059_x86__8wekyb3d8bbwe|
|packageIdentityName|String|Example, Microsoft.BingTranslator|
|Architectures|Collection of [ProductArchitectures](#productarchitectures)|Values {x86, x64, arm, neutral}|
|packageFormat|[ProductPackageFormat](#productpackageformat)|Extension of the package file.|
|Platforms|Collection of [ProductPlatform](#productplatform)||
|fileSize|integer-64|Size of the file.|
|packageRank|integer-32|Optional|
## ProductPackageFormat
|Name|
|--- |
|Appx|
|appxBundle|
|Xap|
## ProductPackageSet
|Name|Type|Description|
|--- |--- |--- |
|packageSetId|String|An identifier for the particular combination of application packages.|
|productPackages|Collection of [ProductPackageDetails](#productpackagedetails)|A collection of application packages.|
## ProductPlatform
|Name|Type|
|--- |--- |
|platformName|String|
|minVersion|[VersionInfo](#versioninfo)|
|maxTestedVersion|[VersionInfo](#versioninfo)|
## PublisherDetails
Specifies the properties of the publisher details.
|Name|Type|Description|
|--- |--- |--- |
|publisherName|String|Name of the publisher.|
|publisherWebsite|String|Website of the publisher.|
## SeatAction
|Name|
|--- |
|Assign|
|Reclaim|
## SeatDetails
|Name|Type|Description|
|--- |--- |--- |
|assignedTo|String|Format = UPN (user@domain)|
|dateAssigned|Datetime||
|State|[SeatState](#seatstate)||
|productKey|[ProductKey](#productkey)||
## SeatDetailsResultSet
|Name|Type|
|--- |--- |
|Seats|Collection of [SeatDetails](#seatdetails)|
|continuationToken|String|
## SeatState
|Name|
|--- |
|Active|
|Revoked|
## SupportedProductPlatform
|Name|Type|
|--- |--- |
|platformName|String|
|minVersion|[VersionInfo](#versioninfo)|
|maxTestedVersion|[VersionInfo](#versioninfo)|
|Architectures|Collection of [ProductArchitectures](#productarchitectures)|
## VersionInfo
|Name|Type|
|--- |--- |
|Major|integer-32|
|Minor|integer-32|
|Build|integer-32|
|Revision|integer-32|

1
windows/client-management/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],

64
windows/client-management/get-inventory.md
View File

@ -1,64 +0,0 @@
---
title: Get Inventory
description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available.
MS-HAID:
- 'p\_phdevicemgmt.get\_seatblock'
- 'p\_phDeviceMgmt.get\_inventory'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get Inventory
The **Get Inventory** operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&amp;modifiedSince={ModifiedSince}&amp;licenseTypes={LicenseType}&amp;maxResults={MaxResults}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Default value|Description|
|--- |--- |--- |--- |
|continuationToken|string|Null||
|modifiedSince|datetime|Null|Optional. Used to determine changes since a specific date.|
|licenseTypes|collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)|{online,offline}|Optional. A collection of license types|
|maxResults|integer-32|25|Optional. Specifies the maximum number of applications returned in a single query.|
Here are some examples.
|Query type|Example query|
|--- |--- |
|Online and offline|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25)|
|Online only|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25)|
|Offline only|[https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25)|
|Both license types and a time filter|[https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25](https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25)|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br><br>Invalid modified date, license, or continuationToken<br><br>Details: String|
## Response
### Response body
The response contains [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset).

52
windows/client-management/get-localized-product-details.md
View File

@ -1,52 +0,0 @@
---
title: Get localized product details
description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 12/07/2020
---
# Get localized product details
The **Get localized product details** operation retrieves the localization information of a product from the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{ProductId}/{SkuId}/LocalizedDetails/{language}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|language|string|Required. Language in ISO format, such as en-us, en-ca.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Missing parameter or invalid parameter<br>Details: String|
|404|Not found||Item type: productId, skuId, language|
## Response
The response contains [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail).
 

54
windows/client-management/get-offline-license.md
View File

@ -1,54 +0,0 @@
---
title: Get offline license
description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get offline license
The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business.
## Request
**POST:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/OfflineLicense/{contentId}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Identifies a specific product that has been acquired.|
|skuId|string|Required. The SKU identifier.|
|contentId|string|Required. Identifies a specific application.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Missing parameter or invalid parameter<br>Details: String|
|404|Not found|||
|409|Conflict||Reason: Not owned, Not offline|
## Response
### Response body
The response contains [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense).
 

52
windows/client-management/get-product-details.md
View File

@ -1,52 +0,0 @@
---
title: Get product details
description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get product details
The **Get product details** operation retrieves the product information from the Microsoft Store for Business for a specific application.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Missing parameter or invalid parameter<br>Details: String|
|404|Not found|||
## Response
### Response body
The response contains [ProductDetails](data-structures-windows-store-for-business.md#productdetails).
 

54
windows/client-management/get-product-package.md
View File

@ -1,54 +0,0 @@
---
title: Get product package
description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get product package
The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages/{packageId}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|packageId|string|Required.|
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br/> <br/>Reason: Invalid parameter <br/> <br/>Details: String|Can be productId, skuId, or packageId|
|404|Not found|||Item type: Product/SKU|
|409|Conflict||Reason: Not owned||
## Response
### Response body
The response body contains [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails).
 

53
windows/client-management/get-product-packages.md
View File

@ -1,53 +0,0 @@
---
title: Get product packages
description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get product packages
The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages
```
 
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br/> <br/>Reason: Missing parameter or invalid parameter <br/> <br/>Details: String|
|404|Not found|||
|409|Conflict||Reason: Not owned|
## Response
### Response body
The response body contains [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset).
 

47
windows/client-management/get-seat.md
View File

@ -1,47 +0,0 @@
---
title: Get seat
description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get seat
The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
 
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br/><br/>Reason: Missing parameter or invalid parameter<br/><br/>Details: String|Invalid can include productId, skuId or username|
|404|Not found|||ItemType: Inventory, User, Seat<br/><br/>Values: ProductId/SkuId, UserName, ProductId/SkuId/Username|
|409|Conflict||Reason: Not online||

55
windows/client-management/get-seats-assigned-to-a-user.md
View File

@ -1,55 +0,0 @@
---
title: Get seats assigned to a user
description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get seats assigned to a user
The **Get seats assigned to a user** operation retrieves information about assigned seats in the Microsoft Store for Business.
## Request
**GET:**
```http
https:<span></span>//bspmts.mp.microsoft.com/V1/Users/{username}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|useName|string|Requires UserPrincipalName (UPN). User name of the target user account.|
|continuationToken|string|Optional.|
|maxResults|inteter-32|Optional. Default = 25, Maximum = 100|
 
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br><br>Reason: Invalid parameter<br><br>Details: String|
|404|Not found||Item type: User<br><br>Values: UserName|
 
 

50
windows/client-management/get-seats.md
View File

@ -1,50 +0,0 @@
---
title: Get seats
description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# Get seats
The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business.
## Request
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}
```
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|continuationToken|string|Optional.|
|maxResults|int32|Optional. Default = 25, Maximum = 100|
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br> Reason: Missing parameter or invalid parameter <br> Details: String|
|404|Not found|||
|409|Conflict||Reason: Not online|

110
windows/client-management/management-tool-for-windows-store-for-business.md
View File

@ -1,110 +0,0 @@
---
title: Management tool for the Microsoft Store for Business
description: The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_tool'
- 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 10/27/2017
---
# Management tool for the Microsoft Store for Business
The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.
Here's the list of the available capabilities:
- Support for enterprise identities Enables end users within an organization to use the identity that has been provided to them within the organization. This feature enables an organization to keep control of the application and eliminates the need for an organization to maintain another set of identities for their users.
- Bulk acquisition support of applications Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually.
- License reclaim and reuse Enables an enterprise to keep value in their purchases by allowing the ability to unassign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization, they keep ownership of the application.
- Flexible distribution models for Microsoft Store apps Allows enterprises to integrate with an organization's infrastructure. It also allows the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
- Custom Line of Business app support Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows client devices - The Store for Business supports client devices.
For more information, see [Microsoft Store for Business and Education](/microsoft-store/).
## Management services
The Store for Business provides services that enable a management tool to synchronize new and updated applications for an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provide several features, including providing application data, can assign and reclaim applications, and can download offline-licensed application packages.
- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This metadata includes:
- The application identifier that's used to deploy online license applications
- Artwork for an application that's used to create a company portal
- Localized descriptions for applications
- **Licensing models**:
- **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity, and rely on the store services on the device to get an application from the store. It's similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
- **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed applications don't require connectivity to the store. It can be updated directly from the store if the device has connectivity, and the app update policies allow updates to be distributed using the store.
### Offline-licensed application distribution
The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
![business store offline app distribution.](images/businessstoreportalservices2.png)
### Online-licensed application distribution
The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application.
![business store online app distribution.](images/businessstoreportalservices3.png)
## Integrate with Azure Active Directory
The Store for Business services use Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business.
The following articles have more information about Azure AD, and how to register your application within Azure AD:
- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app)
- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization)
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026).
## Configure your Azure AD application
See [Quickstart: Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app.
## Azure AD Authentication for MTS
MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The authorization token is for the Azure AD application representing the MDM component (service/daemon/on-prem instance) within the context of the directory/tenant it will be working on behalf-of.
Here are the details for requesting an authorization token:
- Login Authority = `https://login.windows.net/<TargetTenantId>`
- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is an application identifier for which the token is being generated. It's not a URL for a service endpoint or a web page.
- ClientId = your Azure AD application client ID
- ClientSecret = your Azure AD application client secret/key
## Using the management tool
After you register your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:
- First the ability to get new or updated applications.
- Second the ability to assign or reclaim applications.
The diagram below shows the call patterns for acquiring a new or updated application.
![business store portal service flow diagram.](images/businessstoreportalservicesflow.png)
**Here is the list of available operations**:
- [Get Inventory](get-inventory.md)
- [Get product details](get-product-details.md)
- [Get localized product details](get-localized-product-details.md)
- [Get offline license](get-offline-license.md)
- [Get product packages](get-product-packages.md)
- [Get product package](get-product-package.md)
- [Get seats](get-seats.md)
- [Get seat](get-seat.md)
- [Assign seats](assign-seats.md)
- [Reclaim seat from user](reclaim-seat-from-user.md)
- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md)
- [Get seats assigned to a user](get-seats-assigned-to-a-user.md)

64
windows/client-management/new-in-windows-mdm-enrollment-management.md
View File

@ -29,7 +29,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an
| [eUUICs](mdm/euiccs-csp.md) | Added the following node:<br><li>IsDiscoveryServer |
| [PersonalDataEncryption](mdm/personaldataencryption-csp.md) | New CSP |
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>Accounts/RestrictToEnterpriseDeviceAuthenticationOnly<br><li>DesktopAppInstaller/EnableAdditionalSources<br><li>DesktopAppInstaller/EnableAllowedSources<br><li>DesktopAppInstaller/EnableAppInstaller<br><li>DesktopAppInstaller/EnableDefaultSource<br><li>DesktopAppInstaller/EnableExperimentalFeatures<br><li>DesktopAppInstaller/EnableHashOverride<br><li>DesktopAppInstaller/EnableLocalManifestFiles<br><li>DesktopAppInstaller/EnableMicrosoftStoreSource<br><li>DesktopAppInstaller/EnableMSAppInstallerProtocol<br><li>DesktopAppInstaller/EnableSettings<br><li>DesktopAppInstaller/SourceAutoUpdateInterval<br><li>Education/EnableEduThemes<br><li>Experience/AllowSpotlightCollectionOnDesktop<br><li>FileExplorer/DisableGraphRecentItems<br><li>HumanPresence/ForceInstantDim<br><li>InternetExplorer/EnableGlobalWindowListInIEMode<br><li>InternetExplorer/HideIEAppRetirementNotification<br><li>InternetExplorer/ResetZoomForDialogInIEMode<br><li>LocalSecurityAuthority/AllowCustomSSPsAPs<br><li>LocalSecurityAuthority/ConfigureLsaProtectedProcess<br><li>MixedReality/AllowCaptivePortalBeforeLogon<br><li>MixedReality/AllowLaunchUriInSingleAppKiosk<br><li>MixedReality/AutoLogonUser<br><li>MixedReality/ConfigureMovingPlatform<br><li>MixedReality/ConfigureNtpClient<br><li>MixedReality/ManualDownDirectionDisabled<br><li>MixedReality/NtpClientEnabled<br><li>MixedReality/SkipCalibrationDuringSetup<br><li>MixedReality/SkipTrainingDuringSetup<br><li>NetworkListManager/AllowedTlsAuthenticationEndpoints<br><li>NetworkListManager/ConfiguredTLSAuthenticationNetworkName<br><li>Printers/ConfigureCopyFilesPolicy<br><li>Printers/ConfigureDriverValidationLevel<br><li>Printers/ConfigureIppPageCountsPolicy<br><li>Printers/ConfigureRedirectionGuard<br><li>Printers/ConfigureRpcConnectionPolicy<br><li>Printers/ConfigureRpcListenerPolicy<br><li>Printers/ConfigureRpcTcpPort<br><li>Printers/ManageDriverExclusionList<br><li>Printers/RestrictDriverInstallationToAdministrators<br><li>RemoteDesktopServices/DoNotAllowWebAuthnRedirection<br><li>Search/AllowSearchHighlights<br><li>Search/DisableSearch<br><li>SharedPC/EnabledSharedPCModeWithOneDriveSync<br><li>Start/DisableControlCenter<br><li>Start/DisableEditingQuickSettings<br><li>Start/HideRecommendedSection<br><li>Start/HideTaskViewButton<br><li>Start/SimplifyQuickSettings<br><li>Stickers/EnableStickers<br><li>Textinput/allowimenetworkaccess<br><li>Update/NoUpdateNotificationDuringActiveHours<br><li>WebThreatDefense/EnableService<br><li>WebThreatDefense/NotifyMalicious<br><li>WebThreatDefense/NotifyPasswordReuse<br><li>WebThreatDefense/NotifyUnsafeApp<br><li>Windowslogon/EnableMPRNotifications |
| [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:<br><li>Asssessments |
| [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:<br><li>Assessments |
| [WindowsAutopilot](mdm/windowsautopilot-csp.md) | Added the following node:<br><li>HardwareMismatchRemediationData |
## What's new in MDM for Windows 11, version 21H2
@ -75,7 +75,6 @@ For details about Microsoft mobile device management protocols for Windows 10 an
| [EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md) | Added the new CSP. |
| [PassportForWork CSP](mdm/passportforwork-csp.md) | Added the following new nodes:<br><li>SecurityKey<br><li>SecurityKey/UseSecurityKeyForSignin |
## What's new in MDM for Windows 10, version 1809
| New or updated article | Description |
@ -139,15 +138,15 @@ In your deployment, if you have multiple certificates provisioned on the device
Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
- The user may be prompted to select the certificate.
- The wrong certificate may get auto selected and cause an authentication failure.
- The user may be prompted to select the certificate.
- The wrong certificate may get auto selected and cause an authentication failure.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
@ -159,18 +158,17 @@ For information about adding extended key usage (EKU) to a certificate, see <htt
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- Client Authentication.
- As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
- Any Purpose.
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose.
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client chains to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- Client Authentication.
- As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
- Any Purpose.
- An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose.
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client chains to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
@ -281,38 +279,37 @@ The following XML sample explains the properties for the EAP TLS XML including c
Alternatively you can use the following procedure to create an EAP Configuration XML.
1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md).
1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md).
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
:::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
3. Click the **Properties** button underneath the drop-down menu.
3. Click the **Properties** button underneath the drop-down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
:::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
:::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
:::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
:::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box.
7. Close the rasphone dialog box.
8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
### MDM client will immediately check in with the MDM server after client renews WNS channel URI
After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices
@ -326,10 +323,8 @@ If you want to use the certificate used for VPN authentication also for Kerberos
The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.
## Frequently Asked Questions
### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11?
No. Only one MDM is allowed.
@ -351,8 +346,3 @@ Entry | Description
What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
## Change history for MDM documentation
To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).

103
windows/client-management/quick-assist.md
View File

@ -1,6 +1,6 @@
---
title: Use Quick Assist to help users
description: How IT Pros can use Quick Assist to help users.
description: Learn how IT Pros can use Quick Assist to help users.
ms.prod: windows-client
ms.topic: article
ms.technology: itpro-manage
@ -9,10 +9,13 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
ms.collection:
- highpri
- tier1
ms.date: 08/26/2022
ms.date: 03/06/2023
---
# Use Quick Assist to help users
@ -23,8 +26,8 @@ Quick Assist is a Microsoft Store application that enables a person to share the
All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
> [!IMPORTANT]
> Quick Assist is not available in the Azure Government cloud.
### Authentication
@ -45,7 +48,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
| `*.registrar.skype.com` | Required for Azure Communication Service. |
| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
| `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
| `aadcdn.msauth.net` | Required for logging in to the application (AAD). |
| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). |
| `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
| `login.microsoftonline.com` | Required for Microsoft login service. |
| `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
@ -54,21 +57,32 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
> [!IMPORTANT]
> Quick Assist uses Edge WebView2 browser control. For a list of domain URLs that you need to add to the allow list to ensure that the Edge WebView2 browser control can be installed and updated, see [Allow list for Microsoft Edge endpoints](/deployedge/microsoft-edge-security-endpoints).
## Working with Quick Assist
Either the support staff or a user can start a Quick Assist session.
1. Support staff ("helper") and the user ("sharer") can start Quick Assist in any of a few ways:
- Type *Quick Assist* in the Windows search and press ENTER.
- Press **CTRL** + **Windows** + **Q**.
- For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
- For **Windows 11** users, from the Start menu, select **All Apps**, and then select **Quick Assist**.
1. In the **Help someone** section, the helper selects the **Help someone** button. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
1. Helper shares the security code with the user over the phone or with a messaging system.
1. The sharer enters the provided code in the **Security code from assistant** box under the **Get help** section, and then selects **Submit**.
1. The sharer receives a dialog asking for permission to allow screen sharing. The sharer gives permission by selecting the **Allow** button and the screen sharing session is established.
1. After the screen sharing session is established, the helper can optionally request control of the sharer's screen by selecting **Request control**. The sharer then receives a dialog asking them if they want to **Allow** or **Deny** the request for control.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
## How it works
1. Both the helper and the sharer start Quick Assist.
2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
4. The helper is prompted to select **View Only** or **Full Control**.
5. The sharer is prompted to confirm allowing the helper to share their desktop with the helper.
6. Quick Assist starts RDP control and connects to the RDP Relay service.
7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
1. The helper selects **Help someone**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
1. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
1. The sharer is prompted to confirm allowing the helper to share their desktop with the helper.
1. Quick Assist starts RDP control and connects to the RDP Relay service.
1. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established.":::
@ -77,61 +91,39 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information:
- Start and end time of the session
- Errors arising from Quick Assist itself, such as unexpected disconnections
- Features used inside the app such as view only, annotation, and session pause
No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
> [!NOTE]
> No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
>
> The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
## Working with Quick Assist
Either the support staff or a user can start a Quick Assist session.
1. Support staff ("helper") starts Quick Assist in any of a few ways:
- Type *Quick Assist* in the search box and press ENTER.
- Press **CTRL** + **Windows** + **Q**
- For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
- For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.
2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
3. Helper shares the security code with the user over the phone or with a messaging system.
4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**.
6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
## Install Quick Assist
### Install Quick Assist from the Microsoft Store
1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**.</br> :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**.</br> :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
### Install Quick Assist with Intune
Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
Before installing Quick Assist, you need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
1. Select **Manage** / **Settings** and turn on **Show offline apps**.
1. Select **Manage** / **Settings** and enable **Show offline apps**.
1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
1. Search for **Quick Assist** and select it from the Search results.
1. Choose the **Offline** license and select **Get the app**
1. In the Intune admin center, choose **Sync**.
1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
1. Select it to view its properties.
1. By default, the app isn't assigned to any user or device, select the **Edit** link. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
> [!NOTE]
> Assigning the app to a device or group of devices instead of a user is important becauseit's the only way to install a store app in device context.
@ -140,18 +132,19 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps
### Install Quick Assist Offline
To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
1. Start **Windows PowerShell** with Administrative privileges.
1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD &#x3C;*location of package file*&#x3E;)
1. Run the following command to install Quick Assist: </br>*Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"*
1. After Quick Assist has installed, run this command: </br>_Get-appxpackage \*QuickAssist* -alluser_
After running the command, you'll see Quick Assist 2.X is installed for the user.
1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd <location of package file>`
1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
## Microsoft Edge WebView2
The Microsoft EdgeWebView2is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps.The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately.
The Microsoft EdgeWebView2is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps.The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
- For Windows 11 users, this runtime control is built in.
- For Windows 10 users, the Quick Assist Store app detects if WebView2 is present on launch and if necessary, installs it automatically. If an error message or prompt is shown indicating WebView2 isn't present, it needs to be installed separately.
For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)

47
windows/client-management/reclaim-seat-from-user.md
View File

@ -1,47 +0,0 @@
---
title: Reclaim seat from user
description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 05/05/2020
---
# Reclaim seat from user
The **Reclaim seat from user** operation returns reclaimed seats for a user in the Microsoft Store for Business.
## Request
|Method|Request URI|
|--- |--- |
|DELETE|`https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}`|
### URI parameters
The following parameters may be specified in the request URI.
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name<br>Reason: Invalid parameter<br>Details: String|Invalid can include productId, skuId or userName|
|404|Not found||Item type: Inventory, User, Seat<br>Values: ProductId/SkuId, UserName,<br>ProductId/SkuId/UserName|ItemType: Inventory, User, Seat<br>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName|
|409|Conflict||Reason: Not online||
 

71
windows/client-management/rest-api-reference-windows-store-for-business.md
View File

@ -1,71 +0,0 @@
---
title: REST API reference for Microsoft Store for Business
description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 09/18/2017
---
# REST API reference for Microsoft Store for Business
Here's the list of available operations:
- [Get Inventory](get-inventory.md)
- [Get product details](get-product-details.md)
- [Get localized product details](get-localized-product-details.md)
- [Get offline license](get-offline-license.md)
- [Get product packages](get-product-packages.md)
- [Get product package](get-product-package.md)
- [Get seats](get-seats.md)
- [Get seat](get-seat.md)
- [Assign seats](assign-seats.md)
- [Reclaim seat from user](reclaim-seat-from-user.md)
- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md)
- [Get seats assigned to a user](get-seats-assigned-to-a-user.md)
Here's the list of data structures:
- [AlternateIdentifier](data-structures-windows-store-for-business.md#alternateidentifier)
- [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset)
- [FailedSeatRequest](data-structures-windows-store-for-business.md#failedseatrequest)
- [FrameworkPackageDetails](data-structures-windows-store-for-business.md#frameworkpackagedetails)
- [InventoryDistributionPolicy](data-structures-windows-store-for-business.md#inventorydistributionpolicy)
- [InventoryEntryDetails](data-structures-windows-store-for-business.md#inventoryentrydetails)
- [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset)
- [InventoryStatus](data-structures-windows-store-for-business.md#inventorystatus)
- [LicenseType](data-structures-windows-store-for-business.md#licensetype)
- [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail)
- [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense)
- [PackageLocation](data-structures-windows-store-for-business.md#packagelocation)
- [ProductArchitectures](data-structures-windows-store-for-business.md#productarchitectures)
- [ProductDetails](data-structures-windows-store-for-business.md#productdetails)
- [ProductImage](data-structures-windows-store-for-business.md#productimage)
- [ProductKey](data-structures-windows-store-for-business.md#productkey)
- [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails)
- [ProductPackageFormat](data-structures-windows-store-for-business.md#productpackageformat)
- [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset)
- [ProductPlatform](data-structures-windows-store-for-business.md#productplatform)
- [PublisherDetails](data-structures-windows-store-for-business.md#publisherdetails)
- [SeatAction](data-structures-windows-store-for-business.md#seataction)
- [SeatDetails](data-structures-windows-store-for-business.md#seatdetails)
- [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset)
- [SeatState](data-structures-windows-store-for-business.md#seatstate)
- [SupportedProductPlatform](data-structures-windows-store-for-business.md#supportedproductplatform)
- [VersionInfo](data-structures-windows-store-for-business.md#versioninfo)
 

42
windows/client-management/toc.yml
View File

@ -11,8 +11,6 @@ items:
href: mdm-overview.md
- name: What's new in MDM enrollment and management
href: new-in-windows-mdm-enrollment-management.md
- name: Change history for MDM documentation
href: change-history-for-mdm-documentation.md
- name: Azure Active Directory integration with MDM
href: azure-active-directory-integration-with-mdm.md
items:
@ -44,40 +42,8 @@ items:
items:
- name: Enterprise app management
href: enterprise-app-management.md
items:
- name: Deploy and configure App-V apps using MDM
href: appv-deploy-and-config.md
- name: Management tool for the Microsoft Store for Business
href: management-tool-for-windows-store-for-business.md
- name: REST API reference for Microsoft Store for Business
href: rest-api-reference-windows-store-for-business.md
items:
- name: Data structures for Microsoft Store for Business
href: data-structures-windows-store-for-business.md
- name: Get Inventory
href: get-inventory.md
- name: Get product details
href: get-product-details.md
- name: Get localized product details
href: get-localized-product-details.md
- name: Get offline license
href: get-offline-license.md
- name: Get product packages
href: get-product-packages.md
- name: Get product package
href: get-product-package.md
- name: Get seats
href: get-seats.md
- name: Get seat
href: get-seat.md
- name: Assign seats
href: assign-seats.md
- name: Reclaim seat from user
href: reclaim-seat-from-user.md
- name: Bulk assign and reclaim seats from users
href: bulk-assign-and-reclaim-seats-from-user.md
- name: Get seats assigned to a user
href: get-seats-assigned-to-a-user.md
- name: Deploy and configure App-V apps using MDM
href: appv-deploy-and-config.md
- name: Mobile device management (MDM) for device updates
href: device-update-management.md
- name: Secured-Core PC Configuration Lock
@ -98,10 +64,10 @@ items:
href: administrative-tools-in-windows-10.md
- name: Use Quick Assist to help users
href: quick-assist.md
- name: Create mandatory user profiles
href: mandatory-user-profile.md
- name: Connect to remote Azure Active Directory-joined PC
href: connect-to-remote-aadj-pc.md
- name: Create mandatory user profiles
href: mandatory-user-profile.md
- name: New policies for Windows 10
href: new-policies-for-windows-10.md
- name: Windows 10 default media removal policy

1
windows/configuration/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],

4
windows/configuration/kiosk-xml.md
View File

@ -260,9 +260,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com" />
<v4:BreakoutSequence Key="Ctrl+A"/>
</Profile>
</Profiles>

2
windows/configuration/provisioning-packages/provisioning-install-icd.md
View File

@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De
- When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled.
- You can only run one instance of Windows Configuration Designer on your computer at a time.

BIN
windows/deployment/do/images/mcc-isp-migrate.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

8
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -158,13 +158,11 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
>
> Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported.
#### If you're installing MCC on a local virtual machine
1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing.
1. **If you're installing MCC on a local virtual machine**, turn the virtual machine **off** while you enable nested virtualization and MAC spoofing.
1. Enable nested virtualization:
```powershell
Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
```
1. Enable MAC spoofing:
@ -230,7 +228,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
1. Your MCC deployment is now complete.
1. If you don't see any errors, continue to the next section to validate your MCC deployment.
1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.

2
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -99,6 +99,8 @@ There are five IDs that the device provisioning script takes as input in order t
| Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. |
| Registration key | Single use device registration key used by Microsoft Delivery Optimization services. |
#### Provision your server
:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::
1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server.

55
windows/deployment/do/mcc-isp.md
View File

@ -23,7 +23,7 @@ ms.collection: tier3
## Overview
> [!IMPORTANT]
> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to migrate your cache nodes to our public preview. See [instructions on how to migrate](#migrating-your-mcc-to-public-preview) below.
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
@ -62,7 +62,9 @@ The following steps describe how MCC is provisioned and used:
## ISP requirements for MCC
### Azure subscription
Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding.
<!-- ### Azure subscription
The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services.
@ -73,9 +75,6 @@ Your Azure subscription ID is first used to provision MCC services and enable ac
The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions.
> [!IMPORTANT]
> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey).
### Hardware to host the MCC
This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
@ -102,9 +101,9 @@ The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a
| NIC | 10 Gbps| at least 10 Gbps |
| Disk | SSD </br>1 drive </br>2 TB each |SSD </br>2-4 drives </br>at least 2 TB each |
| Memory | 8 GB | 32 GB or greater |
| Cores | 4 | 8 or more |
| Cores | 4 | 8 or more | -->
## Steps to deploy MCC
<!-- ## Steps to deploy MCC
To deploy MCC:
@ -116,16 +115,13 @@ To deploy MCC:
6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server)
7. [Review common issues if needed](#common-issues)
For questions regarding these instructions, contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com).
## Provide Microsoft with your Azure subscription ID
As part of the MCC preview onboarding process, an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> If you haven't already, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). You can't continue if you skip this step.
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id).
> For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
@ -265,9 +261,9 @@ To modify the configuration for existing MCC nodes in the portal, select the cac
:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields.":::
To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node.
To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. -->
## Install MCC
<!-- ## Install MCC
To install MCC on your physical server or VM, you use a Bash script installer, which runs the following tasks:
@ -400,7 +396,7 @@ Before you start, make sure that you have a data drive configured on your server
- Inspect the installer logs, which are in the following path: `/etc/mccresourcecreation/`
- For more information, see [Troubleshoot your IoT Edge device](/azure/iot-edge/troubleshoot).
- For more information, see [Troubleshoot your IoT Edge device](/azure/iot-edge/troubleshoot). -->
## Verify properly functioning MCC server
@ -509,9 +505,9 @@ To configure the device to work with your DNS, use the following steps:
sudo restart IoTEdge
```
### Diagnostics script
<!-- ### Diagnostics script
If you're having issues with your MCC, the installer file includes a diagnostics script. The script collects all logs and zips them into a single file. You can then email these logs to Microsoft.
If you're having issues with your MCC, the installer file includes a diagnostics script. The script collects all logs and zips them into a single file.
To run the script:
@ -528,9 +524,9 @@ To run the script:
1. The script stores all the debug files into a folder and creates a tar file. After the script is finished running, it displays the path of the tar file that you can share with the MCC team. The file should be `/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz`
1. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process.
1. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process. -->
## Updating your MCC
<!-- ## Updating your MCC
Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC.
@ -546,9 +542,9 @@ For example:
```bash
sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.981" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99aa"
```
``` -->
### Configure BGP on an Existing MCC
<!-- ### Configure BGP on an Existing MCC
If you have an MCC that's already active and running, follow the steps below to configure BGP.
@ -556,7 +552,22 @@ If you have an MCC that's already active and running, follow the steps below to
1. Sign in with your Azure credentials using the device code.
1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc).
1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). -->
## Migrating your MCC to Public Preview
> [!NOTE]
> Please note, if you reboot your server, the version that you are currently on will no longer function, after which you will be required to migrate to the new version.
We recommend migrating now to the new version to access these benefits and ensure no downtime.
To migrate, use the following steps:
1. Navigate to the cache node that you would like to migrate and select **Download Migration Package** using the button at the top of the page.
1. Follow the instructions under the **Connected Cache Migrate Scripts** section within Azure portal.
:::image type="content" source="images/mcc-isp-migrate.png" alt-text="A screenshot of Azure portal showing the migration instructions for migrating a cache node from the private preview to the public preview." lightbox="images/mcc-isp-migrate.png":::
1. Go to https://portal.azure.com and navigate to your resource to check your migrated cache nodes.
## Uninstalling MCC
@ -708,7 +719,7 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an
>
> :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected.":::
Your Ubuntu VM is now ready to [Install MCC](#install-mcc).
Your Ubuntu VM is now ready to install MCC.
### IoT Edge runtime

1
windows/deployment/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],

12
windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
View File

@ -5,7 +5,7 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 08/18/2022
ms.date: 03/15/2023
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. -->
@ -15,7 +15,15 @@ To enroll into Windows Update for Business reports, edit configuration settings,
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
- [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
**Log Analytics permissions**:
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data

1
windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
View File

@ -18,6 +18,7 @@ ms.localizationpriority: medium
- The Azure subscription
- The Log Analytics workspace
1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts.
> [!Note]
> The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different.

2
windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
View File

@ -8,7 +8,7 @@ ms.topic: include
ms.date: 08/10/2022
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-help.md and the update/wufb-reports-configuration-script.md articles. Headings are driven by article context. -->
<!--This file is used by update/wufb-reports-configuration-script.md articles. It was dropped from updates/wufb-reports-help.md. Headings are driven by article context. -->
In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:

1
windows/deployment/update/wufb-reports-enable.md
View File

@ -69,6 +69,7 @@ Use one of the following methods to enroll into Windows Update for Business repo
> [!Tip]
> If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports.
1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
##### <a name="bkmk_admin-center"></a> Enroll through the Microsoft 365 admin center
<!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->

7
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 02/14/2023
ms.date: 03/15/2023
ms.technology: itpro-updates
---
@ -30,11 +30,6 @@ Before you begin the process of adding Windows Update for Business reports to yo
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
**Log Analytics permissions**:
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
## Operating systems and editions
- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions

3
windows/deployment/vda-subscription-activation.md
View File

@ -1,6 +1,7 @@
---
title: Configure VDA for Windows subscription activation
description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
ms.reviewer: nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
@ -37,7 +38,7 @@ Deployment instructions are provided for the following scenarios:
### Scenario 1
- The VM is running a supported version of Windows.
- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH).
- The VM is hosted in Azure, an authorized outsourcer, or another Qualified Multitenant Hoster (QMTH).
When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -37,7 +37,7 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise

6
windows/deployment/windows-autopatch/TOC.yml
View File

@ -8,6 +8,8 @@
href: overview/windows-autopatch-overview.md
- name: Roles and responsibilities
href: overview/windows-autopatch-roles-responsibilities.md
- name: Privacy
href: overview/windows-autopatch-privacy.md
- name: FAQ
href: overview/windows-autopatch-faq.yml
- name: Prepare
@ -90,7 +92,7 @@
href: operate/windows-autopatch-deregister-devices.md
- name: Unenroll your tenant
href: operate/windows-autopatch-unenroll-tenant.md
- name: Reference
- name: References
href:
items:
- name: Update policies
@ -102,8 +104,6 @@
href: references/windows-autopatch-microsoft-365-policies.md
- name: Changes made at tenant enrollment
href: references/windows-autopatch-changes-to-tenant.md
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: What's new
href:
items:

2
windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
View File

@ -37,7 +37,7 @@ Windows Autopatch deploys, manages and maintains all configurations related to t
The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**.
> [!IMPORTANT]
> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.
> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../overview/windows-autopatch-privacy.md#service-accounts), your Global admin must go to the Tenant management blade to approve the configuration change.
The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -32,7 +32,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description |
| ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). |
## Your responsibilities after unenrolling your tenant

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
View File

@ -39,7 +39,7 @@ Users with the following permissions can access the reports:
## About data latency
The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
The data source for these reports is the [Windows diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
## Windows quality update statuses

4
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -92,8 +92,8 @@ sections:
- question: What happens if there's an issue with an update?
answer: |
Autopatch relies on the following capabilities to help resolve update issues:
- Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
- Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls).
- Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
- Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls).
- question: Can I permanently pause a Windows feature update deployment?
answer: |
Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release).

2
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -63,7 +63,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li></ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-update-management.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../references/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
| References | This section includes the following articles:<ul><li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../overview/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
### Have feedback or would like to start a discussion?

10
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md → windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 02/02/2023
ms.date: 03/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -68,16 +68,12 @@ For more information about how Windows diagnostic data is used, see:
## Tenant access
Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
| Enterprise application name | Usage | Permissions |
| ----- | ----- | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul>|
For more information about tenant access and changes made to your tenant upon enrolling into Windows Autopatch, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md).
### Service accounts
> [!IMPORTANT]
> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.

2
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -25,7 +25,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
| Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -22,7 +22,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
| Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.<p>For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).</p> |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). |
## More about licenses

2
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -23,7 +23,7 @@ The following configuration details explain the changes made to your tenant when
Enterprise applications are applications (software) that a business uses to do its work.
Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service.
| Enterprise application name | Usage | Permissions |
| ----- | ------ | ----- |

2
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
View File

@ -43,7 +43,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
| [Privacy](../references/windows-autopatch-privacy.md) | Updated data center locations<ul><li>[MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Privacy](../overview/windows-autopatch-privacy.md) | Updated data center locations<ul><li>[MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated multiple sections because of the OMA-URI to Intune Settings Catalog policy migration<ul><li>[MC443898](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Configure your network](../prepare/windows-autopatch-configure-network.md) | Added information on Delivery Optimization |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | 32 and 64-bit versions are supported |

9
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 03/10/2023
ms.date: 03/14/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -24,13 +24,14 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated entire article |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | <ul><li>Added support for subscription versions of Microsoft Project and Visio desktop apps</li><li>Updated device eligibility criteria</li><li>Clarified update controls</li></ul> |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview<li>[MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li> |
### March service release
| Message center post number | Description |
| ----- | ----- |
| [MC527439](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Prepare for Windows Autopatch Groups |
| [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public preview - Customize Windows Update settings |
## February 2023
@ -44,7 +45,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) |
| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) |
| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
| [Privacy](../overview/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |

1
windows/hub/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier1"
],

1
windows/privacy/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

16
windows/security/TOC.yml
View File

@ -162,7 +162,21 @@
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
items:
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
- name: Disable hibernation for PDE
href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security

1
windows/security/docfx.json
View File

@ -34,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"adobe-target": true,
"ms.collection": [
"tier2"
],

14
windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
View File

@ -1,16 +1,16 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
ms.date: 08/20/2018
title: Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
description: Learn how to plan for an adequate number of Domain Controllers to support Windows Hello for Business deployments.
ms.date: 03/10/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: article
ms.topic: conceptual
---
# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
# Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044).
## How many is adequate
@ -79,7 +79,7 @@ Using the same methods described above, monitor the Kerberos authentication afte
```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
Where *n* equals the number of clients you switched to Windows Hello for Business and *x* equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.

46
windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
View File

@ -1,41 +1,35 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
ms.date: 07/27/2017
title: Windows Hello and password changes
description: Learn the impact of changing a password when using Windows Hello.
ms.date: 03/15/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
ms.topic: conceptual
---
# Windows Hello and password changes
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If Windows Hello for Business isn't deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
## Example
> [!Note]
> This article doesn't apply to Windows Hello for Business. Change the account password will not affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
**Example 1**
Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
**Example 2**
Suppose that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
>[!NOTE]
>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md).
 
## How to update Hello after you change your password on another device
1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
2. Click **OK.**
3. Click **Sign-in options**.
4. Click the **Password** button.
5. Sign in with new password.
6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
1. Select **OK**
1. Select **Sign-in options**
1. Select **Password**
1. Sign in with new password
1. The next time that you sign in, you can select **Sign-in options > PIN** to resume using your PIN.

2
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -5,7 +5,7 @@ ms.collection:
- ContentEngagementFY23
- tier1
ms.topic: article
ms.date: 11/15/2022
ms.date: 03/15/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
---

4
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -109,7 +109,7 @@ sections:
- The PIN 9630 has a constant delta of (7,7,7), so it isn't allowed
- The PIN 1593 has a constant delta of (4,4,4), so it isn't allowed
- The PIN 7036 has a constant delta of (3,3,3), so it isn't allowed
- The PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed
- The PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed
- The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed
This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs.
@ -238,7 +238,7 @@ sections:
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][/windows/security/identity-protection/remote-credential-guard] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
- question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
answer: |
No, only the number necessary to handle the load from all cloud Kerberos trust devices.

36
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
View File

@ -1,33 +1,38 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.date: 07/12/2022
description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
ms.date: 03/10/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
ms.topic: how-to
---
# Dynamic lock
Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
Dynamic lock is a feature that automatically locks a Windows device when a Bluetooth paired phone signal falls below the maximum Received Signal Strength Indicator (RSSI) value. The feature makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
> [!IMPORTANT]
> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
> The dynamic lock feature only locks the device if the Bluetooth signal falls **and** the system is idle. If the system isn't idle (for example, an intruder gets access *before* the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
You can configure Windows devices to use the **dynamic lock** using a Group Policy Object (GPO).
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
1. Edit the Group Policy object from Step 1.
1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
1. Close the Group Policy Management Editor to save the Group Policy object.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
```
```xml
<rule schemaVersion="1.0">
<signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
<signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
</rule>
```
>[!IMPORTANT]
>Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
For this policy setting, the **type** and **scenario** attribute values are static and cannot change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phones and uses the values from the following table:
For this policy setting, the **type** and **scenario** attribute values are static and can't change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
|Description|Value|
|:-------------|:-------:|
@ -43,17 +48,6 @@ For this policy setting, the **type** and **scenario** attribute values are stat
|Health|2304|
|Uncategorized|7936|
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
The **rssiMin** attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
## Related topics
* [Windows Hello for Business](hello-identity-verification.md)
* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
* [Windows Hello and password changes](hello-and-password-changes.md)
* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

15
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -4,10 +4,10 @@ description: Learn how Microsoft PIN reset services enable you to help users rec
ms.collection:
- highpri
- tier1
ms.date: 07/29/2022
ms.date: 03/10/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
ms.topic: how-to
---
# PIN reset
@ -20,12 +20,10 @@ There are two forms of PIN reset:
- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature.
## Using PIN reset
There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
>[!IMPORTANT]
>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
@ -35,7 +33,6 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI
1. Open **Settings**, select **Accounts** > **Sign-in options**.
1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions.
### Reset PIN above the Lock Screen
For Azure AD-joined devices:
@ -46,7 +43,6 @@ For Azure AD-joined devices:
1. Follow the instructions provided by the provisioning process.
1. When finished, unlock your desktop using your newly created PIN.
For Hybrid Azure AD-joined devices:
1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
@ -58,14 +54,14 @@ For Hybrid Azure AD-joined devices:
> [!NOTE]
> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
## Non-Destructive PIN reset
**Requirements:**
- Azure Active Directory
- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903.
- Windows Enterprise and Pro editions. There's no licensing requirement for this feature.
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
@ -83,7 +79,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
|Category|Destructive PIN Reset|Non-Destructive PIN Reset|
|--- |--- |--- |
|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
|**Windows editions and versions**| Windows Enterprise and Pro editions.|
|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
@ -94,7 +90,6 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
> The **Microsoft PIN Reset Service** is not currently available in Azure Government.
### Enable the Microsoft PIN Reset Service in your Azure AD tenant
Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:

19
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
View File

@ -1,7 +1,7 @@
---
title: Windows Hello for Business hybrid certificate trust deployment
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 12/28/2022
ms.date: 03/16/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
@ -19,7 +19,7 @@ This deployment guide describes how to deploy Windows Hello for Business in a hy
> [!IMPORTANT]
> Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md).
It is recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
It's recommended that you review the [Windows Hello for Business planning guide](hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.
## Prerequisites
The following prerequisites must be met for a hybrid certificate trust deployment:
@ -64,18 +64,20 @@ Once you have your AD FS design ready:
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
### Device registration
### Device registration and device write-back
Windows devices must be registered in Azure AD. Devices can be registered in Azure AD using either *Azure AD join* or *hybrid Azure AD join*.\
For *hybrid Azure AD joined* devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page.
For hybrid Azure AD joined devices, review the guidance on the [plan your hybrid Azure Active Directory join implementation][AZ-8] page.
Hybrid certificate trust deployments need the device write back feature. Authentication to AD FS needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.
Refer to the [Configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about using Azure AD Connect Sync to configure Azure AD device registration.\
For a **manual configuration** of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide.
Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.
> [!NOTE]
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object.
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object.
Refer to the [configure hybrid Azure Active Directory join for federated domains][AZ-10] guide to learn more about setting up Azure AD Connect Sync to support Azure AD device registration.
For a manual configuration of your AD FS farm to support device registration, review the [Configure AD FS for Azure AD device registration][AZ-11] guide.
If you manually configured AD FS, or if you ran Azure AD Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5].
### Public Key Infrastructure
@ -130,3 +132,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a hybr
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
[SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2
[SER-5]: /windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#configure-device-write-back-and-device-authentication

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete:
> - Update group memberships for the AD FS service account
> [!div class="nextstepaction"]
> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision)
> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision)

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -178,8 +178,6 @@ If you deployed Windows Hello for Business using the key trust model, and want t
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
>
> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
## Migrate from certificate trust deployment model to cloud Kerberos trust

71
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -1,86 +1,73 @@
---
title: Why a PIN is better than an online password (Windows)
description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
title: Why a PIN is better than an online password
description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
ms.collection:
- highpri
- tier1
ms.date: 10/23/2017
ms.date: 03/15/2023
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
ms.topic: article
ms.topic: conceptual
---
# Why a PIN is better than an online password
Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
## PIN is tied to the device
## A PIN is tied to the device
One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too.
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
## PIN is local to the device
An online password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
However, note that even though local passwords are also local to the device, they are still less secure than a PIN, as described in the next section.
An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server.
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server.
Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
>[!NOTE]
>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
 
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
## PIN is backed by hardware
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
## PIN can be complex
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
## What if someone steals the laptop or phone?
## What if someone steals the device?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
You can provide more protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
### Configure BitLocker without TPM
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
To enable BitLocker without TPM, follow these steps:
**Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect.
1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
1. In the policy option, select **Allow BitLocker without a compatible TPM > OK**
1. On the device, open **Control Panel > System and Security > BitLocker Drive Encryption**
1. Select the operating system drive to protect
### Set account lockout threshold
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
To configure account lockout threshold, follow these steps:
**Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**
2. Set the number of invalid logon attempts to allow, and then click OK.
1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**
1. Set the number of invalid logon attempts to allow, and then select OK
## Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.

2
windows/security/identity-protection/vpn/vpn-conditional-access.md
View File

@ -33,7 +33,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.

2
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -252,7 +252,7 @@ This policy setting allows blocking of direct memory access (DMA) for all hot pl
|**Drive type**|Operating system drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
|**Conflicts**|None|
|**When enabled**|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
|**When enabled**|Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
|**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
#### Reference: Disable new DMA devices when this computer is locked

240
windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
View File

@ -9,7 +9,7 @@ ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 12/13/2022
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
@ -17,245 +17,23 @@ ms.date: 12/13/2022
# Configure Personal Data Encryption (PDE) policies in Intune
The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
## Required prerequisites
### Enable Personal Data Encryption (PDE)
1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md)
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Custom**, and then select **Create**
7. In **Basics**:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
8. Select **Next**
9. In **Configuration settings**, select **Add**
10. In **Add Row**:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
11. Select **Save**, and then select **Next**
12. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
13. In **Applicability Rules**, configure if necessary and then select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Winlogon automatic restart sign-on (ARSO)
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Administrative templates**, and then select **Create**
7. In **Basics**:
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
8. Select **Next**
9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
10. Select **Sign-in and lock last interactive user automatically after a restart**
11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
12. Select **Next**
13. In **Scope tags**, configure if necessary and then select **Next**
14. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md)
## Security hardening recommendations
### Disable kernel-mode crash dumps and live dumps
1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md)
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md)
2. Navigate to **Devices** > **Configuration Profiles**
1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md)
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable WER dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable hibernation
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, select **Power**
10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Allow Hibernate** to **Block**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable hibernation policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable allowing users to select when a password is required when resuming from connected standby
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md)
## See also

2
windows/security/information-protection/personal-data-encryption/faq-pde.yml
View File

@ -11,7 +11,7 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 12/13/2022
ms.date: 03/13/2023
# Max 5963468 OS 32516487
# Max 6946251

4
windows/security/information-protection/personal-data-encryption/includes/pde-description.md
View File

@ -6,11 +6,11 @@ author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.topic: include
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 12/13/2022
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->

22
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -9,7 +9,7 @@ ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 12/13/2022
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
@ -35,7 +35,7 @@ ms.date: 12/13/2022
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@ -44,19 +44,19 @@ ms.date: 12/13/2022
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
@ -66,15 +66,15 @@ ms.date: 12/13/2022
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- Workgroup devices, including native Azure AD joined devices:
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md).
### Highly recommended
@ -88,7 +88,7 @@ ms.date: 12/13/2022
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. The destructive PIN reset will make any content protected with PDE no longer accessible after a destructive PIN reset. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
@ -135,7 +135,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md).
## Differences between PDE and BitLocker

100
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
## Disable Winlogon automatic restart sign-on (ARSO) in Intune
To disable ARSO using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Templates**.
1. When the templates appear, under **Template name**, select **Administrative templates**.
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable ARSO**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. In the **Configuration settings** page:
1. On the left pane of the page, make sure **Computer Configuration** is selected.
1. Under **Setting name**, scroll down and select **Windows Components**.
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option.
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**.
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
> [!NOTE]
>
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)

98
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md Normal file
View File

@ -0,0 +1,98 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
# Disable hibernation for PDE
Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
## Disable hibernation in Intune
To disable hibernation using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Hibernation**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. In the **Configuration settings** page:
1. select **Add settings**.
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Power**.
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)

96
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
# Disable kernel-mode crash dumps and live dumps for PDE
Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
## Disable kernel-mode crash dumps and live dumps in Intune
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Memory Dump**.
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
### Security hardening recommendations
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)

118
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md Normal file
View File

@ -0,0 +1,118 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
# Disable allowing users to select when a password is required when resuming from connected standby for PDE
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
- A password is required immediately after the screen turns off.
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
## Disable allowing users to select when a password is required when resuming from connected standby in Intune
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**.
1. Under **Administrative Templates**, scroll down and expand **System**.
1. Under **System**, scroll down and select **Logon**.
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**.
1. select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)

102
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**.
1. Under **Administrative Templates**, scroll down and expand **Windows Components**.
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it.
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)

112
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md Normal file
View File

@ -0,0 +1,112 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
# Enable Personal Data Encryption (PDE)
By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
## Enable Personal Data Encryption (PDE) in Intune
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Templates**.
1. When the templates appears, under **Template name**, select **Custom**.
1. Select **Create** to close the **Create profile** window.
1. The **Custom** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Personal Data Encryption**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. In **Configuration settings** page:
1. Next to **OMA-URI Settings**, select **Add**.
1. In the **Add Row** window that opens:
1. Next to **Name**, enter **Personal Data Encryption**.
1. Next to **Description**, enter a description.
1. Next to **OMA-URI**, enter in:
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
1. Next to **Data type**, select **Integer**.
1. Next to **Value**, enter in **1**.
1. Select **Save** to close the **Add Row** window.
1. Select **Next**.
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Applicability Rules**, configure if necessary and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)

7
windows/security/threat-protection/auditing/event-4769.md
View File

@ -194,7 +194,12 @@ The most common values:
| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. |
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event:
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation.
Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags:
- 0x01: Audit SPN unknown errors.
- 0x10: Log audit events on encryption type (ETYPE) and bad options errors.
The table below contains the list of the most common error codes for this event:
| Code | Code Name | Description | Possible causes |
|------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

158
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -1,6 +1,6 @@
---
title: Enable virtualization-based protection of code integrity
description: This article explains the steps to opt in to using HVCI on Windows devices.
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -12,7 +12,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.date: 12/16/2021
ms.date: 03/16/2023
ms.reviewer:
ms.technology: itpro-security
---
@ -20,41 +20,50 @@ ms.technology: itpro-security
# Enable virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 or higher
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11.
Some applications, including device drivers, may be incompatible with HVCI.
This incompatibility can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If these issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
> Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance.
> Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance.
## HVCI Features
> [!WARNING]
> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI protects modification of the Control Flow Guard (CFG) bitmap.
* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
> [!NOTE]
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
## How to turn on HVCI in Windows 10 and Windows 11
## Memory integrity features
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
- Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate.
## How to turn on memory integrity
To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options:
To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy)
- [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune)
- [Group Policy](#enable-memory-integrity-using-group-policy)
- [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
- [Registry](#use-registry-keys-to-enable-memory-integrity)
### Windows Security app
HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
**Memory integrity** can be turned on in the Windows Security app and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
### Enable HVCI using Intune
Beginning with Windows 11 22H2, the Windows Security app shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within the Windows Security app.
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog).
To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
### Enable HVCI using Group Policy
### Enable memory integrity using Intune
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).
### Enable memory integrity using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
@ -62,17 +71,17 @@ Enabling in Intune requires using the Code Integrity node in the [Virtualization
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI can't be disabled remotely or select **Enabled without UEFI lock**.
4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png)
![Enable memory integrity using Group Policy.](../images/enable-hvci-gp.png)
5. Click **Ok** to close the editor.
5. Select **Ok** to close the editor.
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
### Use registry keys to enable virtualization-based protection of code integrity
### Use registry keys to enable memory integrity
Set the following registry keys to enable HVCI. These keys provide exactly the same set of configuration options provided by Group Policy.
Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
<!--This comment ensures that the Important above and the Warning below don't merge together. -->
@ -80,13 +89,13 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s
>
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
>
> - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled.
> - If you select **Secure Boot with DMA**, memory integrity and the other VBS features will only be turned on for computers that support DMA. That is, for computers with IOMMUs only. Any computer without IOMMUs will not have VBS or memory integrity protection.
>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 10 version 1607 and later and for Windows 11 version 21H2
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
Recommended settings (to enable memory integrity without UEFI Lock):
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
@ -100,9 +109,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
If you want to customize the preceding recommended settings, use the following settings.
If you want to customize the preceding recommended settings, use the following registry keys.
**To enable VBS**
**To enable VBS only (no memory integrity)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
@ -132,19 +141,19 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_D
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies**
**To enable memory integrity**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)**
**To enable memory integrity without UEFI lock (value 0)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
**To enable memory integrity with UEFI lock (value 1)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
@ -152,7 +161,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
#### For Windows 10 version 1511 and earlier
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
Recommended settings (to enable memory integrity, without UEFI Lock):
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
@ -184,34 +193,45 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
**To enable memory integrity (with the default, UEFI lock)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
**To enable memory integrity without UEFI lock**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
### Validate enabled Windows Defender Device Guard hardware-based security features
### Enable memory integrity using Windows Defender Application Control (WDAC)
Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
You can use WDAC policy to turn on memory integrity using any of the following techniques:
1. Use the [WDAC Wizard](https://aka.ms/wdacwizard) to create or edit your WDAC policy and select the option **Hypervisor-protected Code Integrity** on the **Policy Rules** page of the Wizard.
2. Use the [Set-HVCIOptions](/powershell/module/configci/set-hvcioptions) PowerShell cmdlet.
3. Edit your WDAC policy XML and modify the value set for the `<HVCIOptions>` element.
> [!NOTE]
> If your WDAC policy is set to turn memory integrity on, it will be turned on even if the policy is in audit mode.
### Validate enabled VBS and memory integrity features
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
```powershell
Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard
```
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2.
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. This value is reported for both Intel's *Mode-Based Execution Control* and AMD's *Guest Mode Execute Trap* capabilities.
The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
#### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
Value | Description
-|-
@ -227,11 +247,11 @@ Value | Description
#### InstanceIdentifier
A string that is unique to a particular device. Valid values are determined by WMI.
A string that is unique to a particular device and set by WMI.
#### RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
This field describes the required security properties to enable VBS.
Value | Description
-|-
@ -246,25 +266,25 @@ Value | Description
#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
This field indicates whether Windows Defender Credential Guard or memory integrity has been configured.
Value | Description
-|-
**0.** | No services are configured.
**1.** | If present, Windows Defender Credential Guard is configured.
**2.** | If present, HVCI is configured.
**2.** | If present, memory integrity is configured.
**3.** | If present, System Guard Secure Launch is configured.
**4.** | If present, SMM Firmware Measurement is configured.
#### SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
This field indicates whether Windows Defender Credential Guard or memory integrity is running.
Value | Description
-|-
**0.** | No services running.
**1.** | If present, Windows Defender Credential Guard is running.
**2.** | If present, HVCI is running.
**2.** | If present, memory integrity is running.
**3.** | If present, System Guard Secure Launch is running.
**4.** | If present, SMM Firmware Measurement is running.
@ -286,43 +306,41 @@ Value | Description
This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled virtualization-based security features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the virtualization-based security features are displayed at the bottom of the **System Summary** section.
Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section.
:::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png":::
## Troubleshooting
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
- If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
- If you experience a critical error during boot or your system is unstable after turning on memory integrity, you can recover using the Windows Recovery Environment (Windows RE).
1. First, disable any policies that are used to enable VBS and memory integrity, for example Group Policy.
2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference).
3. After logging in to Windows RE, set the memory integrity registry key to off:
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you're able to sign in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `<OS Volume>\Windows\System32\CodeIntegrity\` and then restart your device.
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
```
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `<OS Volume>\Windows\System32\CodeIntegrity\` and then restart your device.
4. Finally, restart your device.
## How to turn off HVCI
> [!NOTE]
> If you turned on memory integrity with UEFI lock, you will need to disable Secure Boot to complete the Windows RE recovery steps.
1. Run the following command from an elevated prompt to set the HVCI registry key to off:
## Memory integrity deployment in virtual machines
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
```
Memory integrity can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable memory integrity are the same from within the virtual machine.
1. Restart the device.
1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
## HVCI deployment in virtual machines
HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Application Control are the same from within the virtual machine.
WDAC protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable WDAC for a virtual machine:
Memory integrity protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable memory integrity for a virtual machine:
```powershell
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
```
### Requirements for running HVCI in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment.
- Virtual Fibre Channel adapters aren't compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
### Requirements for running memory integrity in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- Memory integrity and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment.
- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.

34
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -9,7 +9,7 @@ ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
ms.date: 12/31/2017
ms.date: 03/16/2023
ms.topic: article
---
@ -18,30 +18,32 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows Server 2016
- Windows 11
- Windows Server 2016 and higher
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they behave more like mobile devices. In this configuration, Windows Defender Application Control (WDAC) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using hypervisor-protected code integrity (HVCI).
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md).
WDAC policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
> [!NOTE]
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
Using Windows Defender Application Control to restrict devices to only authorized apps has these advantages over other solutions:
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows.
3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization's digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important because an attacker that compromises the kernel could normally disable most system defenses, including those enforced by WDAC or any other application control solution.
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
## Why we no longer use the Device Guard brand
1. The Windows kernel handles enforcement of WDAC policy and requires no other services or agents.
2. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
3. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows.
4. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
5. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution.
When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. This misled many people to assume that if systems couldn't use HVCI, they couldn't use WDAC either.
There are no direct dependencies between WDAC and memory integrity. You can deploy them individually or together and there's no order in which they must be deployed.
WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion.
Memory integrity relies on Windows virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we now discuss and document Windows Defender Application Control as an independent technology within our security stack and gave it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md).
We hope this change will help us better communicate options for adopting application control within your organizations.
WDAC has no specific hardware or software requirements.
## Related articles
- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)
- [Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10))
- [Memory integrity](enable-virtualization-based-protection-of-code-integrity.md)
- [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)

5
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -230,6 +230,11 @@ sections:
- Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
- question: |
Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
answer: |
Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
additionalContent: |
## See also

2
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -47,4 +47,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later <br/> Windows 10 Professional for Workstations edition, version 1809 or later <br/> Windows 10 Professional Education edition, version 1809 or later <br/> Windows 10 Education edition, version 1809 or later <br/> Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |

13
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
View File

@ -12,7 +12,7 @@ adobe-target: true
ms.collection:
- tier2
- highpri
ms.date: 12/31/2017
ms.date: 03/20/2023
ms.topic: article
---
@ -29,13 +29,11 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
**Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
## Benefits of Microsoft Defender SmartScreen
@ -43,15 +41,10 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/).
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
@ -61,14 +54,14 @@ Microsoft Defender SmartScreen provide an early warning system against websites
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
When submitting a file for Microsoft Defender SmartScreen, make sure to select **Microsoft Defender SmartScreen** from the product menu.
![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png)
## Viewing Microsoft Defender SmartScreen anti-phishing events
> [!NOTE]
> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
> No SmartScreen events are logged when using Microsoft Edge version 77 or later.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).

6
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -105,10 +105,10 @@
- name: WDAC operational guide
href: windows-defender-application-control-operational-guide.md
items:
- name: Understanding Application Control event tags
href: event-tag-explanations.md
- name: Understanding Application Control event IDs
href: event-id-explanations.md
- name: Understanding Application Control event tags
href: event-tag-explanations.md
- name: Query WDAC events with Advanced hunting
href: querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
@ -117,6 +117,8 @@
href: configure-wdac-managed-installer.md
- name: CITool.exe technical reference
href: operations/citool-commands.md
- name: Inbox WDAC policies
href: operations/inbox-wdac-policies.md
- name: WDAC AppId Tagging guide
href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
items:

56
windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
View File

@ -13,7 +13,7 @@ author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: conceptual
ms.date: 11/09/2020
ms.date: 03/10/2023
ms.technology: itpro-security
---
@ -28,65 +28,59 @@ ms.technology: itpro-security
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article for IT professionals describes the steps to delete an AppLocker rule.
This article for IT professionals describes the steps to delete AppLocker rules.
As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running.
For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer
AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy won't override those settings.
These steps apply only for locally managed devices. Any AppLocker policies delivered through MDM or Group Policy must be removed using those tools.
## To delete a rule in an AppLocker policy
1. Open the AppLocker console.
2. Click the appropriate rule collection for which you want to delete the rule.
3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**.
1. Open the AppLocker console.
2. Select the appropriate rule collection for which you want to delete the rule.
3. In the details pane, right-click the rule to delete, select **Delete**, and then select **Yes**.
> [!Note]
> [!NOTE]
>
> - When using Group Policy, the Group Policy Object must be distributed or refreshed for rule deletion to take effect on devices.
> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`.
When the following procedure is performed on the local device, the AppLocker policy takes effect immediately.
## To clear AppLocker policies on a single system or remote systems
Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents:
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="ManagedInstaller" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
```
To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules:
First import the AppLocker modules for PowerShell:
```powershell
PS C:\Users\Administrator> import-module AppLocker
```
We'll create a file (for example, clear.xml), place it in the same directory where we're executing our cmdlet, and add the preceding XML contents. Then run the following command:
Create a file called clear.xml with the following XML content and save it to your desktop.
```powershell
C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
```xml
<AppLockerPolicy Version="1" />
```
This command will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.
Then run the following command from an elevated PowerShell session to remove all local AppLocker policies from the device:
The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy.
```powershell
C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy $env:USERPROFILE\Desktop\clear.xml
```
Run the following PowerShell commands to stop the AppLocker services and change their startup configuration.
```powershell
appidtel.exe stop [-mionly]
sc.exe config appid start=demand
sc.exe config appidsvc start=demand
sc.exe config applockerfltr start=demand
sc stop applockerfltr
sc stop appidsvc
sc stop appid
sc.exe stop applockerfltr
sc.exe stop appidsvc
sc.exe stop appid
```
All of these steps can be run on a single machine or deployed as a script to multiple devices.

4
windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
View File

@ -8,7 +8,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 02/27/2023
ms.date: 03/16/2023
ms.technology: itpro-security
---
@ -28,7 +28,7 @@ When you create policies for use with Windows Defender Application Control, star
| **Example Base Policy** | **Description** | **Where it can be found** |
|-------------------------|---------------------------------------------------------------|--------|
| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml |
| **AllowMicrosoft.xml** | This example policy is available in enforcement mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |

45
windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Inbox WDAC policies
description: This article describes the inbox WDAC policies that may be active on a device.
keywords: security, malware
ms.prod: windows-client
audience: ITPro
author: jsuther1974
ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
ms.date: 03/10/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
---
# Inbox WDAC policies
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article describes the Windows Defender Application Control (WDAC) policies that ship inbox with Windows and may be active on your devices. To see which policies are active on your device, use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) or check the *CodeIntegrity - Operational* event log for 3099 policy activation events.
## Inbox WDAC Policies
| **Policy Name** | **Policy ID** | **Policy Type** | **Description** |
|-----------|-----------|-----------|-----------|
| **Microsoft Windows Driver Policy** | {d2bda982-ccf6-4344-ac5b-0b44427b6816} | Kernel-only Base policy | This policy blocks known [vulnerable or malicious kernel drivers](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules). It's active by default on Windows 11 22H2, [Windows in S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85), [Windows 11 SE](/education/windows/windows-11-se-overview), and anywhere [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity (HVCI)) is on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\driversipolicy.p7b` and in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\driversipolicy.p7b`. |
| **Windows10S_Lockdown_Policy_Supplementable** | {5951a96a-e0b5-4d3d-8fb8-3e5b61030784} | Base policy | This policy is active on devices running [Windows in S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\winsipolicy.p7b`. |
| **WindowsE_Lockdown_Policy** | {82443e1e-8a39-4b4a-96a8-f40ddc00b9f3} | Base policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview). Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}.cip`. |
| **WindowsE_Lockdown_Flight_Policy_Supplemental** | {5dac656c-21ad-4a02-ab49-649917162e70} | Supplemental policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview) that are enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{5dac656c-21ad-4a02-ab49-649917162e70}.cip`. |
| **WindowsE_Lockdown_Test_Policy_Supplemental** | {CDD5CB55-DB68-4D71-AA38-3DF2B6473A52} | Supplemental policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview) with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{CDD5CB55-DB68-4D71-AA38-3DF2B6473A52}.cip`. |
| **VerifiedAndReputableDesktop** | {0283ac0f-fff1-49ae-ada1-8a933130cad6} | Base policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{0283ac0f-fff1-49ae-ada1-8a933130cad6}.cip`. |
| **VerifiedAndReputableDesktopFlightSupplemental** | {1678656c-05ef-481f-bc5b-ebd8c991502d} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on and enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1678656c-05ef-481f-bc5b-ebd8c991502d}.cip`. |
| **VerifiedAndReputableDesktopTestSupplemental** | {0939ED82-BFD5-4D32-B58E-D31D3C49715A} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{0939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip`. |
| **VerifiedAndReputableDesktopEvaluation** | {1283ac0f-fff1-49ae-ada1-8a933130cad6} | Base policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode*. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1283ac0f-fff1-49ae-ada1-8a933130cad6}.cip`. |
| **VerifiedAndReputableDesktopEvaluationFlightSupplemental** | {2678656c-05ef-481f-bc5b-ebd8c991502d} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode* and enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{2678656c-05ef-481f-bc5b-ebd8c991502d}.cip`. |
| **VerifiedAndReputableDesktopEvaluationTestSupplemental** | {1939ED82-BFD5-4D32-B58E-D31D3C49715A} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode* and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip`. |

2
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -96,7 +96,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | This level may produce an overly permissive policy and isn't recommended for most use cases. |
| **RootCertificate** | Not supported. |
| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. |

14
windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
View File

@ -32,20 +32,12 @@ To complete these procedures, you must be a member of the Domain Administrators
1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default.
2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
2. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials.
5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
3. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The first authentication method can be one of the following methods:
- **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
@ -56,8 +48,6 @@ To complete these procedures, you must be a member of the Domain Administrators
The second authentication method can be one of the following methods:
- **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.

10
windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
View File

@ -39,18 +39,12 @@ To create the authentication request rule:
1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
4. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario.
2. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario.
6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
- **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
@ -61,8 +55,6 @@ To create the authentication request rule:
The **Second authentication method** can be one of the following:
- **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups.

4
windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
View File

@ -72,11 +72,9 @@ There are several ways to get and use security baselines:
[![Microsoft Security Guidance Blog.](./../images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
## Related videos
> [!VIDEO https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo]
## See also
- [Microsoft Security Guidance Blog](/archive/blogs/secguide/)
- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319)
- [Security Baseline Policy Analyzer](https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo)

Some files were not shown because too many files have changed in this diff Show More