Merge pull request #7046 from MicrosoftDocs/main

Publish 09/06/2022 3:30 PM PT
2025-05-29 13:47:23 +00:00 · 2022-09-06 16:53:19 -06:00 · 2022-09-06 16:53:19 -06:00 · 0bcbae71ea
commit 0bcbae71ea
parent 2a586abdfd ab44a6ef8f
9 changed files with 237 additions and 22 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -0,0 +1,39 @@
+<!-- 
+Fill out the following information to help us review this pull request. 
+You can delete these comments once you are done.
+-->
+<!-- 
+## Description
+
+If your changes are extensive:
+- Uncomment this heading and provide a brief description here.
+- List more detailed changes below under the changes heading.
+-->
+
+## Why
+
+<!--
+- Briefly describe _why_ you made this pull request.
+- If this pull request relates to an issue, provide the issue number or link.
+- If this pull request closes an issue, use a keyword (`Closes #123`).
+  - Using a keyword will ensure the issue is automatically closed once this pull request is merged.
+  - For more information, see [Linking a pull request to an issue using a keyword](https://docs.github.com/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword).
+-->
+
+- Closes #[Issue Number]
+
+## Changes
+
+<!--
+- Briefly describe or list _what_ this PR changes.
+- Share any important highlights regarding your changes, such as screenshots, code snippets, or formatting.
+-->
+
+<!--
+Thanks for contributing to Microsoft docs content!
+
+Here are some resources that might be helpful while contributing:
+- [Microsoft Docs contributor guide](https://docs.microsoft.com/contribute/)
+- [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference)
+- [Microsoft Writing Style Guide](https://docs.microsoft.com/style-guide/welcome/)
+-->
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@ -213,6 +213,12 @@ manager: aaroncz
  <dd>
    <a href="#internetexplorer-enableextendediemodehotkeys">InternetExplorer/EnableExtendedIEModeHotkeys</a>
  </dd>
+  <dd>
+    <a href="#internetexplorer-enableglobalwindowlistiniemode">InternetExplorer/EnableGlobalWindowListInIEMode</a>
+  </dd>
+  <dd>
+    <a href="#internetexplorer-disableieappdeprecationnotification">InternetExplorer/HideInternetExplorer11RetirementNotification </a>
+  </dd>
  <dd>
    <a href="#internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a>
  </dd>
@ -612,6 +618,9 @@ manager: aaroncz
  <dd>
    <a href="#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols">InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls</a>
  </dd>
+  <dd>
+    <a href="#internetexplorer-resetzoomfordialoginiemode">InternetExplorer/ResetZoomForDialogInIEMode</a>
+  </dd>
  <dd>
    <a href="#internetexplorer-restrictactivexinstallinternetexplorerprocesses">InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses</a>
  </dd>
@ -4423,6 +4432,115 @@ ADMX Info:
 <!--/ADMXBacked-->
 <!--/Policy-->

+<hr/>
+
+<!--Policy-->
+<a href="" id="internetexplorer-enableglobalwindowlistiniemode"></a>**InternetExplorer/EnableGlobalWindowListInIEMode**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.
+The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.
+
+- If you enable this policy, Internet Explorer mode will use the global window list.
+
+- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list.
+
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) - Disabled
+-   1 - Enabled
+
+<!--/SupportedValues-->
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Enable global window list in Internet Explorer mode*
+-   GP name: *EnableGlobalWindowListInIEMode*
+-   GP path: *Windows Components/Internet Explorer/Main*
+-   GP ADMX file name: *inetres.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="internetexplorer-disableieappdeprecationnotification"></a>**InternetExplorer/HideInternetExplorer11RetirementNotification**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|No|
+|Windows SE|No|No|
+|Business|Yes|No|
+|Enterprise|Yes|No|
+|Education|Yes|No|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11.
+
+- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11.
+
+- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11.
+
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) - Disabled
+-   1 - Enabled
+
+<!--/SupportedValues-->
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Hide Internet Explorer 11 retirement notification*
+-   GP name: *DisableIEAppDeprecationNotification*
+-   GP path: *Windows Components/Internet Explorer/Main*
+-   GP ADMX file name: *inetres.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**  
@ -11161,6 +11279,60 @@ ADMX Info:

 <hr/>

+<!--Policy-->
+<a href="" id="internetexplorer-resetzoomfordialoginiemode"></a>**InternetExplorer/ResetZoomForDialogInIEMode**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.
+
+- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page.
+
+- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
+
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 (default) - Disabled
+-   1 - Enabled
+
+<!--/SupportedValues-->
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode*
+-   GP name: *ResetZoomForDialogInIEMode*
+-   GP path: *Windows Components/Internet Explorer/Main*
+-   GP ADMX file name: *inetres.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses"></a>**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**  

--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th

 ### About the use of an Azure AD group to register devices

-You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
+You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods:
+
+- Direct membership 
+- Nesting other Azure AD dynamic/assigned groups
+- Bulk operations – Import members 
+
+Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.

 > [!NOTE]
 > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@ -40,6 +40,9 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan

 Each deployment ring has a different set of update deployment policies to control the updates rollout.

+> [!WARNING]
+> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
+
 > [!IMPORTANT]
 > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.

@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg

 | Deployment ring | Default device balancing percentage | Description |
 | ----- | ----- | ----- |
-| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0–500** devices: minimum **one** device.</li><li>**500–5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
+| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0–500** devices: minimum **one** device.</li><li>**500–5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
 | First |  **1%** | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
 | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
 | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.|
@ -81,6 +84,9 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad
 > [!NOTE]
 > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.<p>If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
  
+> [!WARNING]   
+> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
+  
 ## Automated deployment ring remediation functions

 Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@ -29,10 +29,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to
 | Modern Workplace-All | All Modern Workplace users |
 | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. |
 | Modern Workplace Devices-All | All Modern Workplace devices |
-| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout |
-| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters |
-| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption |
-| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization |
+| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout |
+| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters |
+| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
+| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization |
 | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -notStartsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 11</li></ul>  |
 | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -startsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 10</li></ul> |
 | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role |
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@ -419,15 +419,9 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 > [!IMPORTANT]
 > If you've already registered your VM (or device) using Intune, then skip this step.

-Optional: see the following video for an overview of the process.
-
-&nbsp;
-
-> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-
 First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.

-Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account,  select **Sign in** on the upper-right-corner of the main page.
+Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account,  select **Sign in** on the upper-right-corner of the main page.

 Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:

@ -528,8 +522,6 @@ Select **OK**, and then select **Create**.

 If you already created and assigned a profile via Intune with the steps immediately above, then skip this section.

-A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below.
-
 First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.

 Select **Manage** from the top menu, then select **Devices** from the left navigation tree.
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@ -2,8 +2,8 @@
 title: Microsoft Defender SmartScreen overview
 description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
 ms.prod: m365-security
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
 ms.localizationpriority: high
 ms.reviewer: 
 manager: dansimp
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows)
 description: This article describes the file formats and available default rules for the script rule collection.
 ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
 ms.reviewer: 
-ms.author: macapara
+ms.author: dansimp
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: mjcaparas
+author: dansimp
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows)
 description: This topic describes the AppLocker enforcement settings for rule collections.
 ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
 ms.reviewer: 
-ms.author: macapara
+ms.author: dansimp
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: mjcaparas
+author: dansimp
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance