diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..deb2888417 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,39 @@ + + + +## Why + + + +- Closes #[Issue Number] + +## Changes + + + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index ef76b0c2fb..c92b313661 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -213,6 +213,12 @@ manager: aaroncz
InternetExplorer/EnableExtendedIEModeHotkeys
+
+ InternetExplorer/EnableGlobalWindowListInIEMode +
+
+ InternetExplorer/HideInternetExplorer11RetirementNotification +
InternetExplorer/IncludeAllLocalSites
@@ -612,6 +618,9 @@ manager: aaroncz
InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
+
+ InternetExplorer/ResetZoomForDialogInIEMode +
InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
@@ -4423,6 +4432,115 @@ ADMX Info: +
+ + +**InternetExplorer/EnableGlobalWindowListInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. +The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. + +- If you enable this policy, Internet Explorer mode will use the global window list. + +- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Enable global window list in Internet Explorer mode* +- GP name: *EnableGlobalWindowListInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ + +**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|No| +|Windows SE|No|No| +|Business|Yes|No| +|Enterprise|Yes|No| +|Education|Yes|No| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + +- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. + +- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Hide Internet Explorer 11 retirement notification* +- GP name: *DisableIEAppDeprecationNotification* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + +
**InternetExplorer/IncludeAllLocalSites** @@ -11161,6 +11279,60 @@ ADMX Info:
+ +**InternetExplorer/ResetZoomForDialogInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. + +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. + +- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* +- GP name: *ResetZoomForDialogInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fb3df8f46b..ffd3cf4cbf 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: + +- Direct membership +- Nesting other Azure AD dynamic/assigned groups +- Bulk operations – Import members + +Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..3169d13cff 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,6 +40,9 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. +> [!WARNING] +> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. @@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| @@ -80,7 +83,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + ## Automated deployment ring remediation functions Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index ab4daa7fe2..4ca89f1b2d 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -29,10 +29,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | | Modern Workplace Devices-All | All Modern Workplace devices | -| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

Group Rule:


Exclusions: | | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

Group Rule:


Exclusions: | | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 0164891a96..b8fe13f82f 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -419,15 +419,9 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B > [!IMPORTANT] > If you've already registered your VM (or device) using Intune, then skip this step. -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. -Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page. +Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account, select **Sign in** on the upper-right-corner of the main page. Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: @@ -528,8 +522,6 @@ Select **OK**, and then select **Create**. If you already created and assigned a profile via Intune with the steps immediately above, then skip this section. -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below. - First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. Select **Manage** from the top menu, then select **Devices** from the left navigation tree. diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 3f1a94a7ad..59695ee06d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,8 +2,8 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.prod: m365-security -author: mjcaparas -ms.author: macapara +author: dansimp +ms.author: dansimp ms.localizationpriority: high ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index e30b2c517a..b7d7521a48 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows) description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index f99766832e..005c1ddcc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance