deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 01:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into delete-windows-content-ADO-8098894

Browse Source
This commit is contained in:
Giridhar Govardhana 2023-09-22 06:10:37 +05:30 committed by GitHub
commit 0adf620ff9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
52 changed files with 316 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
education/includes/education-content-updates.md
View File

@ -2,6 +2,15 @@
## Week of September 11, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
## Week of September 04, 2023

4
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 04/04/2023
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
---
@ -41,7 +41,7 @@ To test federation, the following prerequisites must be met:
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it will be used to setup Azure AD later
1. On the **Service provider detail*s** page
1. On the **Service provider detail's** page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\

29
education/windows/edu-themes.md
View File

@ -1,7 +1,7 @@
---
title: Configure education themes for Windows 11
description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
ms.date: 09/15/2022
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -12,25 +12,30 @@ appliesto:
Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Screenshot of Windows 11 desktop with 3 stickers" border="true":::
Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it.
## Enable education themes
Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
Education themes aren't enabled by default. The following instructions describe how to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| Education | Enable Edu Themes | Enabled |
[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`<br>**Data type**: int<br>**Value**: `1`|
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -46,15 +51,15 @@ Follow the steps in [Apply a provisioning package][WIN-2] to apply the package t
## How to use the education themes
Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
Once the education themes are enabled, the device downloads them as soon as a user signs in to the device.
To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
:::image type="content" source="./images/win-11-se-themes.png" alt-text="Screenshot of Windows 11 education themes selection" border="true":::
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[INT-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

84
education/windows/federated-sign-in.md
View File

@ -1,13 +1,12 @@
---
title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
ms.date: 05/01/2023
description: Learn about federated sign-in in Windows how to configure it.
ms.date: 09/11/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- tier1
- education
---
@ -77,21 +76,25 @@ To use web sign-in with a federated identity provider, your devices must be conf
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
| Category | Setting name | Value |
|--|--|--|
| Education | Is Education Environment | Enabled |
| Federated Authentication | Enable Web Sign In For Primary User | Enabled |
| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
:::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`<br>**Data type**: int<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`<br>**Data type**: int<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** <br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -99,12 +102,12 @@ To configure federated sign-in using a provisioning package, use the following s
| Setting |
|--------|
| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
| **Path**: `Education/IsEducationEnvironment` <br>**Value**: Enabled|
| **Path**: `FederatedAuthentication/EnableWebSignInForPrimaryUser` <br>**Value**: Enabled|
| **Path**: `Policies/Authentication/ConfigureWebSignInAllowedUrls` <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| **Path**: `Policies/Authentication/ConfigureWebCamAccessDomainNames` <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
Apply the provisioning package to the single-user devices that require federated sign-in.
@ -119,20 +122,27 @@ To use web sign-in with a federated identity provider, your devices must be conf
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-settings-catalog-1](../../includes/configure/intune-settings-catalog-1.md)]
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
| Category | Setting name | Value |
|--|--|--|
| Education | Is Education Environment | Enabled |
| SharedPC | Enable Shared PC Mode With OneDrive Sync | True |
| Authentication | Enable Web Sign In | Enabled |
| Authentication | Configure Web Sign In Allowed Urls | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` |
| Authentication | Configure Webcam Access Domain Names | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` |
[!INCLUDE [intune-settings-catalog-2](../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`<br>**Data type**: int<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`<br>**Data type**: Boolean<br>**Value**: True|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`<br>**Data type**: Integer<br>**Value**: `1`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`<br>**Data type**: String <br>**Value**: Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com`|
| **OMA-URI**: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`<br>**Data type**: String <br>**Value**: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com`|
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@ -140,11 +150,11 @@ To configure federated sign-in using a provisioning package, use the following s
| Setting |
|--------|
| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Value: **True**</li>|
| <li> Path: **`Policies/Authentication/EnableWebSignIn`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
| <li> Path: **`Education/IsEducationEnvironment`**<br>Value: **Enabled**|
| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`**<br>Value: **True**|
| <li> Path: **`Policies/Authentication/EnableWebSignIn`**<br>Value: **Enabled**|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
Apply the provisioning package to the shared devices that require federated sign-in.
@ -159,7 +169,7 @@ Once the devices are configured, a new sign-in experience becomes available.
As users enter their username, they're redirected to the identity provider sign-in page. Once the Idp authenticates the users, they're signed-in. In the following animation, you can observe how the first sign-in process works for a student assigned (1:1) device:
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
> [!IMPORTANT]
> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
@ -203,7 +213,7 @@ After the token sent by the IdP is validated, Azure AD searches for a matching u
If the matching object is found, the user is signed-in. Otherwise, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Screenshot of Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
> [!IMPORTANT]
> The ImmutableId matching is case-sensitive.
@ -245,7 +255,7 @@ Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@exa
[GRAPH-1]: /graph/api/user-post-users?tabs=powershell
[EXT-1]: https://support.clever.com/hc/s/articles/000001546
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[INT-1]: /mem/intune/configuration/custom-settings-windows-10
[MSFT-1]: https://www.microsoft.com/download/details.aspx?id=56843

3
education/windows/get-minecraft-for-education.md
View File

@ -2,9 +2,8 @@
title: Get and deploy Minecraft Education
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
ms.date: 02/23/2023
ms.date: 09/11/2023
ms.collection:
- highpri
- education
- tier2
---

BIN
education/windows/images/federated-sign-in-settings-intune.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 102 KiB

4
windows/client-management/mdm/bitlocker-csp.md
View File

@ -1406,7 +1406,9 @@ This value represents a bitmask with each bit and the corresponding error code d
| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
| 14 |The TPM isn't ready for BitLocker.|
| 15 |The network isn't available, which is required for recovery key backup. |
| 16-31 |For future use.|
| 16 |The encryption type of the OS volume for full disk versus used space only encryption doesn't match the BitLocker policy.|
| 17 |The encryption type of the fixed drive for full disk versus used space only encryption doesn't match the BitLocker policy.|
| 18-31 |For future use.|
<!-- Device-Status-DeviceEncryptionStatus-Editable-End -->
<!-- Device-Status-DeviceEncryptionStatus-DFProperties-Begin -->

2
windows/client-management/mdm/vpnv2-csp.md
View File

@ -9037,7 +9037,7 @@ Profile example
<NativeProtocol>
<Type>Sstp</Type>
</NativeProtocol>
<RetryTimeinHours>168</RetryTimeinHours>
<RetryTimeInHours>168</RetryTimeInHours>
</ProtocolList>
<Authentication>
<UserMethod>Eap</UserMethod>

198
windows/deployment/usmt/usmt-exclude-files-and-settings.md
View File

@ -5,14 +5,14 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.date: 09/18/2023
ms.topic: article
ms.technology: itpro-deploy
---
# Exclude files and settings
When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition, you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
Methods to customize the migration and include and exclude files and settings include:
@ -33,7 +33,8 @@ We recommend that you create a custom .xml file instead of modifying the default
The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **&lt;component&gt;** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **&lt;include&gt;** and **&lt;exclude&gt;** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
> [!NOTE]
> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you do not specify an **&lt;include&gt;** rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
>
> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you don't specify an **&lt;include&gt;** rule, the specific files or settings aren't included. They're already excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
@ -82,16 +83,16 @@ The following .xml file migrates all files and subfolders in `C:\Data`, except t
<displayName _locID="miguser.sharedvideo">Test component</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\Data\temp\* [*]</pattern>
</objectSet>
</exclude>
<include>
<objectSet>
<pattern type="File">C:\Data\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\Data\temp\* [*]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
@ -104,23 +105,23 @@ The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
</migration>
```
@ -130,35 +131,35 @@ The following .xml file migrates all files and subfolders in `C:\EngineeringDraf
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\* [*]</pattern>
</objectSet>
</include>
<exclude>
<objectSet>
<pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
</objectSet>
</exclude>
</rules>
</role>
</component>
</migration>
```
### Example 5: How to exclude a file from any location
To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files are excluded.
```xml
<pattern type="File"> C:\* [Sample.doc] </pattern>
```
To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files will be excluded.
To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files are excluded.
```xml
<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
@ -174,15 +175,15 @@ The following .xml file excludes all `.mp3` files from the migration:
```xml
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
<component context="System" type="Documents">
<component context="System" type="Documents">
<displayName>Test</displayName>
<role role="Data">
<rules>
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
</objectSet>
</unconditionalExclude>
<unconditionalExclude>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.mp3]", "Fixed")</script>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
@ -199,11 +200,11 @@ The following .xml file excludes only the files located on the C: drive.
<displayName>Test</displayName>
<role role="Data">
<rules>
<unconditionalExclude>
<unconditionalExclude>
<objectSet>
<pattern type="File">c:\*[*]</pattern>
<pattern type="File">c:\*[*]</pattern>
</objectSet>
</unconditionalExclude>
</unconditionalExclude>
</rules>
</role>
</component>
@ -217,53 +218,53 @@ The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registr
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="User">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="Registry">HKCU\testReg[*]</pattern>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="Registry">HKCU\*[*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
<component type="Documents" context="User">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="Registry">HKCU\testReg[*]</pattern>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="Registry">HKCU\*[*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
</migration>
```
##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files`
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. All `*.docx`, `*.xls` and `*.ppt` files aren't migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
<component type="Documents" context="System">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="File">C:\Program Files\* [*]</pattern>
<pattern type="File">C:\Windows\* [*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Test</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.doc]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.xls]", "Fixed")</script>
<script>MigXmlHelper.GenerateDrivePatterns ("* [*.ppt]", "Fixed")</script>
</objectSet>
</include>
<unconditionalExclude>
<objectSet>
<pattern type="File">C:\Program Files\* [*]</pattern>
<pattern type="File">C:\Windows\* [*]</pattern>
</objectSet>
</unconditionalExclude>
</rules>
</role>
</component>
</migration>
```
@ -275,12 +276,13 @@ You can create and modify a `Config.xml` file if you want to exclude components
- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **&lt;WindowsComponents&gt;** section.
- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Note that any **&lt;include&gt;** rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files won't.
- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Any **&lt;include&gt;** rules in the .xml files are still applied. For example, if you have a rule that includes all the .docx files in My Documents, then .docx files are still migrated. However, any additional files that aren't .docx aren't migrated.
For more information, see [Config.xml File](usmt-configxml-file.md).
> [!NOTE]
> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
>
> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file doesn't exclude the component from your migration.
## Related articles

2
windows/deployment/windows-autopatch/TOC.yml
View File

@ -127,8 +127,6 @@
href: references/windows-autopatch-conflicting-configurations.md
- name: Changes made at tenant enrollment
href: references/windows-autopatch-changes-to-tenant.md
- name: Driver and firmware updates public preview addendum
href: references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
- name: What's new
href:
items:

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
View File

@ -1,7 +1,7 @@
---
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
View File

@ -68,7 +68,7 @@ Before you start managing Autopatch groups, ensure youve met the following pr
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Windows Autopatch** section, select **Release management**.
1. In the **Release management** blade, select **Autopatch groups (preview)**.
1. In the **Release management** blade, select **Autopatch groups**.
1. In the **Autopatch groups** blade, select **Create**.
1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**.
1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Edge
description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
View File

@ -29,7 +29,7 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
| Modes | Description |
| ----- | -----|
| Automatic | We recommend using **Automatic** mode.<p>Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.</p> |
| Self-managed | When you use the the **Self-managed** mode for drivers and firmware, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatchs automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatchs automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
## Set driver and firmware updates to Automatic or Self-managed mode

2
windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Teams
description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 05/30/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 07/11/2022
ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to

13
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 09/05/2023
ms.date: 09/11/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -23,10 +23,19 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
## September 2023
### September feature releases or updates
| Article | Description |
| ----- | ----- |
| [Conflicting configurations](../references/windows-autopatch-conflicting-configurations.md) | New feature. This article explains how to remediate conflicting configurations<ul><li>[MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
### September service releases
| Message center post number | Description |
| ----- | ----- |
| [MC674422](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public Preview: Windows Autopatch Reliability Report |
| [MC672750](https://admin.microsoft.com/adminportal/home#/MessageCenter) | August 2023 Windows Autopatch baseline configuration update |
## August 2023
### August feature releases or updates
@ -40,7 +49,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature <ul><li>[MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
| [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) |
## August service releases
### August service releases
| Message center post number | Description |
| ----- | ----- |

2
windows/privacy/Microsoft-DiagnosticDataViewer.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 12/13/2018
ms.topic: how-to
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/27/2017
ms.topic: reference
---

2
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/04/2020
ms.topic: conceptual
---

2
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/11/2016
ms.collection: highpri
ms.topic: conceptual

70
windows/privacy/copilot-supplemental-terms.md Normal file
View File

@ -0,0 +1,70 @@
---
title: COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
description: The Supplemental Terms for Copilot in Windows (Preview)
ms.prod: windows-client
ms.technology: itpro-privacy
ms.localizationpriority: medium
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 09/20/2023
ms.topic: conceptual
hideEdit: true
layout: ContentPage
ROBOTS: NOINDEX, NOFOLLOW
feedback_system: None
---
# COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS
Copilot in Windows is your AI companion that brings productivity to your fingertips. Leveraging Bing Chat or Bing Chat Enterprise, Copilot in Windows accelerates your tasks, reduces friction, saves you time and provides you with personalized answers, inspiration and task assistance. Your use of Copilot in Windows is subject to these supplemental terms of use (“Terms”). By using Copilot in Windows you agree to be bound by these Terms.
1. Preview
a. COPILOT IN WINDOWS IS A PREVIEW FEATURE AND IS PROVIDED “AS-IS,” “WITH ALL FAULTS,” AND “AS AVAILABLE".
b. Microsoft makes no guarantees or promises about how Copilot in Windows operates or that it will function as intended.
2. Eligibility and Use Requirements.
a. You must be signed into Windows with your Microsoft account to access Copilot in Windows.
b. If you're signed into Windows with your work or school account, your organization may have given you the ability to use Copilot in Windows. If you have access to Copilot in Windows but your organization hasn't enabled Bing Chat Enterprise, your use will be limited to Bing Chats current turn limit.
c. Along with these Terms, your use of Copilot in Windows is also governed by the Microsoft Services Agreement, which is incorporated by reference. You agree that Copilot in Windows constitutes a Service, as defined in the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). If there's any conflict between these Terms and the Microsoft Services Agreement, the conflicting provision in these Terms will control.
3. Bing Chat
a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chats terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247757).
b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprises terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247908).
4. Using Copilot in Windows
a. Copilot in Windows may allow you to submit text inputs and converse with an online computer-powered chatbot and in certain circumstances generate text content or image content. Your use of Copilot in Windows must comply with the Code of Conduct section of the Microsoft Services Agreement and the Bing Chat Code of Conduct or Bing Chat Enterprise Content Policy.
b. Copilot in Windows may allow you to change some of your Windows settings based on the text you submit into Copilot in Windows. Additionally, when you copy text in other apps while Copilot in Windows is open, it may automatically prompt you with suggestions to send the copied text to the chat and offer further suggestions of what you can do with that text.
c. You can consent to letting Copilot in Windows access your Microsoft Edge webpage content. This allows Copilot in Windows to provide relevant responses by accessing content from your active foreground Edge tab. This can be adjusted anytime in Copilot in Windows settings.
5. Data
a. All data processed by Copilot in Windows, including voice input data, will be processed according to the Microsoft Privacy Statement.
6. Ownership of Content
a. Microsoft doesn't claim ownership of any content you provide, post, input, or submit to, or receive from, Copilot in Windows, Bing Chat, or Bing Chat Enterprise (including feedback and suggestions). You'll need to make your own determination regarding the intellectual property rights you have in output content and its commercial usability, taking into account, among other things, your usage scenario(s) and the laws of the relevant jurisdiction. You warrant and represent that you or your organization owns or otherwise controls all of the rights to your content as described in these Terms including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the content.
7. Third-party claims
a. You're responsible for responding to any third-party claims regarding your use of Copilot in Windows in compliance with applicable laws (including, but not limited to, copyright infringement or other claims relating to output content that was output during your use of Copilot in Windows).
8. Reverse engineering
a. You may not use Copilot in Windows to discover any underlying components of the models, algorithms, or systems, such as exfiltrating the weights of models.
9. Extracting data
a. You may not use web scraping, web harvesting, or web data extraction methods to extract data from Copilot in Windows or from any output content.
10. **IF YOU LIVE IN (OR YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 15 OF THE MICROSOFT SERVICES AGREEMENT. IT AFFECTS HOW DISPUTES RELATING TO THIS AGREEMENT ARE RESOLVED.**

2
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/09/2018
ms.collection: highpri
ms.topic: how-to

2
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 10/12/2017
ms.topic: reference
---

2
windows/privacy/essential-services-and-connected-experiences.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/28/2021
ms.collection: highpri
ms.topic: reference

2
windows/privacy/index.yml
View File

@ -12,7 +12,7 @@ metadata:
ms.collection: highpri
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority: high

2
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 05/15/2019
ms.topic: conceptual
---

2
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/07/2016
ms.collection: highpri
ms.topic: conceptual

2
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-1903-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-1909-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-2004-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-20H2-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-21H1-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/manage-windows-21h2-endpoints.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 01/18/2018
ms.topic: reference
---

2
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 05/20/2019
ms.topic: conceptual
---

2
windows/privacy/windows-11-endpoints-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 12/17/2020
ms.topic: reference
---

2
windows/privacy/windows-diagnostic-data-1703.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/31/2017
ms.topic: reference
---

2
windows/privacy/windows-diagnostic-data.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 03/31/2017
ms.collection: highpri
ms.topic: reference

2
windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/29/2018
ms.topic: reference
---

2
windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 06/29/2018
ms.topic: reference
---

2
windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 07/20/2020
ms.topic: reference
---

2
windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 05/11/2020
ms.topic: reference
---

2
windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 12/17/2020
ms.topic: reference
---

2
windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
manager: laurawi
ms.date: 12/17/2020
ms.topic: reference
---

28
windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
View File

@ -13,15 +13,15 @@ The following table lists the available settings to configure the UAC behavior,
|Setting name| Description|
|-|-|
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)**: The built-in Administrator account runs all applications with full administrative privilege.|
|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
|Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
|Behavior of the elevation prompt for standard users|Controls the behavior of the elevation prompt for standard users.<br><br>**Prompt for credentials (default)**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Automatically deny elevation requests**: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.<br>**Prompt for credentials on the secure desktop** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.|
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
|Allow UIAccess applications to prompt for elevation without using the secure desktop|Controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.<br><br>**Enabled**: UIA programs, including Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the **Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. This setting allows the remote administrator to provide the appropriate credentials for elevation. This policy setting doesn't change the behavior of the UAC elevation prompt for administrators. If you plan to enable this policy setting, you should also review the effect of the **Behavior of the elevation prompt for standard users** policy setting: if it's' configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user.<br>**Disabled (default)**: The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **Switch to the secure desktop when prompting for elevation** policy setting.|
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
## User Account Control configuration
@ -50,15 +50,15 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Local
|Setting|
| - |
| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
| **Setting name**: Admin Approval Mode for the built-in Administrator account<br>**Policy CSP name**: `UserAccountControl_UseAdminApprovalMode`|
| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
| **Setting name**: Behavior of the elevation prompt for administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForAdministrators`|
| **Setting name**: Behavior of the elevation prompt for standard users<br>**Policy CSP name**: `UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers`|
| **Setting name**: Detect application installations and prompt for elevation<br>**Policy CSP name**: `UserAccountControl_DetectApplicationInstallationsAndPromptForElevation`|
| **Setting name**: Only elevate executables that are signed and validated<br>**Policy CSP name**: `UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated`|
| **Setting name**: Only elevate UIAccess applications that are installed in secure locations<br>**Policy CSP name**: `UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations`|
| **Setting name**: Allow UIAccess applications to prompt for elevation without using the secure desktop<br>**Policy CSP name**: `UserAccountControl_AllowUIAccessApplicationsToPromptForElevation`|
| **Setting name**: Run all administrators in Admin Approval Mode<br>**Policy CSP name**: `UserAccountControl_RunAllAdministratorsInAdminApprovalMode`|
| **Setting name**: Switch to the secure desktop when prompting for elevation<br>**Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`|
| **Setting name**: Virtualize file and registry write failures to per-user locations<br>**Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`|
#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
@ -69,15 +69,15 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
| Group Policy setting |Default value|
| - | - |
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home only)<br />Disabled (default) |
|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home edition only)<br />Disabled (default) |
|User Account Control: Only elevate executables that are signed and validated| Disabled |
|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
@ -86,15 +86,15 @@ The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\Cur
| Setting name | Registry key name | Value |
| - | - | - |
| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
| Admin Approval Mode for the built-in Administrator account | `FilterAdministratorToken` | 0 (Default) = Disabled<br>1 = Enabled |
| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
| Behavior of the elevation prompt for administrators in Admin Approval Mode| `ConsentPromptBehaviorAdmin` | 0 = Elevate without prompting<br>1 = Prompt for credentials on the secure desktop<br>2 = Prompt for consent on the secure desktop<br>3 = Prompt for credentials<br>4 = Prompt for consent<br>5 (Default) = Prompt for consent for non-Windows binaries|
| Behavior of the elevation prompt for standard users | `ConsentPromptBehaviorUser` | 0 = Automatically deny elevation requests<br>1 = Prompt for credentials on the secure desktop<br>3 (Default) = Prompt for credentials |
| Detect application installations and prompt for elevation | `EnableInstallerDetection` | 1 = Enabled (default for home only)<br>0 = Disabled (default) |
| Only elevate executables that are signed and validated | `ValidateAdminCodeSignatures` | 0 (Default) = Disabled<br>1 = Enabled |
| Only elevate UIAccess applications that are installed in secure locations | `EnableSecureUIAPaths` | 0 = Disabled<br>1 (Default) = Enabled |
| Allow UIAccess applications to prompt for elevation without using the secure desktop | `EnableUIADesktopToggle` | 0 (Default) = Disabled<br>1 = Enabled |
| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = Disabled<br>1 (Default) = Enabled |
| Switch to the secure desktop when prompting for elevation| `PromptOnSecureDesktop` | 0 = Disabled<br>1 (Default) = Enabled |
| Virtualize file and registry write failures to per-user locations | `EnableVirtualization` | 0 = Disabled<br>1 (Default) = Enabled |
[WIN-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions

2
windows/security/threat-protection/security-policy-settings/security-options.md
View File

@ -108,7 +108,7 @@ For info about setting security policies, see [Configure security policy setting
| [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. |
| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
| [Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management, and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. |

2
windows/whats-new/whats-new-windows-10-version-20H2.md
View File

@ -25,7 +25,7 @@ This article lists new and updated features and content that is of interest to I
As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, including a video, see [How to get the Windows 10 October 2020 Update](https://community.windows.com/videos/how-to-get-the-windows-10-october-2020-update/7c7_mWN0wi8).
To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**).
## Microsoft Edge